SecurityBuddha has been navel-gazing about compliance recently. He even has a post talks about how every vendor and their fat, ugly sister is hawking a their product as the key to compliance. This, of course, jibes with some recent observations about the floor at RSA. Good stuff, that SecurityBuddha site.

And of course, he’s right. There is no "compliance appliance" you can buy - just as a pentium box, painted red and performing automated penetration testing isn’t "risk management." But vendors want you to think that their products will bring you compliance. Why? Because the Cult Of Compliance is in full swing, and if you don’t know your risk from your elbow, you’re going to have a tough time ignoring it.

The Cult Of Compliance

The Cult Of Compliance is actually easy to join. There are dozens of standards, just pick one and make your business case for adhering to it! The cult is actually very popular these days, so you won’t be alone. Now there are three types of believers in the Cult Of Compliance:

• Consultants - Known by their Pharisaical stance, Consultants are the high priests of the Compliance Cult. The believers must obey their directives and commands, because the Consultant has a direct line with the Golden Calf of Government (and don’t doubt that they don’t). Consultants love compliance because regular audits are mandatory. It’s job security built in.
• Vendors - The Charismatic bunch of the group, the Vendors are the ones dancing and singing, banging on noisy tambourines and attracting you with scantily-clad women. They have the fatted calves and doves for you to buy and sacrifice at the alter of the Golden Calf under the watchful eye of the High-Priest Consultant. If you don’t buy their wares, then you may just anger the Consultant-Priest and therefore, the Golden Calf. Vendors love compliance because every so often a regulatory body might issue a "guidance" about some technology you might want to consider. No doubt, their particular product is mentioned almost specifically in some memo or letter someone wrote to somebody once.
• Unsophisticated Security Management - The true believers. You can spot the USM by their wide eyes and perpetual nodding. Managers who use Best Practices love compliance. Why? As I overheard someone say, "Compliance makes the company buy us stuff". Which is all well and good, except for the fact it is dead wrong.

The Problems With The Cult of Compliance

Well first, don’t tell anybody, but it’s multi-level marketing. And you’re at the bottom of the pyramid.

Second, it’s addictive. You can’t just have one standard, you know. There’s SAS 70 and GLBA and SOX and HIPAA and PCI and ISO 17799 and ISO 27001 and ITIL and COBIT and COSO and Basel II and NCUA 748 and BITS AUP and on and on and on…. I once talked to the CISO of a mid-level F.I. who remarked that out of any 20 business days - they spent 15 dealing with some compliance-based audit or another.

Third, it’s just a checklist. So TJX was out of compliance when they were hacked. Big whoop. Let me ask you this, what if they had passed their PCI compliance audit and were still hacked by a different attack vector. What then?

Fourth, compliance is a hamster wheel of pain. Are we in compliance? -> Hire Consultant -> The Consultant Says No -> Scurry and spend -> Repeat.

Fifth, it’s doomed to business failure. A CISO can’t really "manage by compliance" (Despite what the cult members might believe, you can’t figure ROI for Compliance, either). It is especially important to note:

Compliance is of little use to mature security organizations.

Compliance Is Not A Vending Machine

Right now, Managers think that compliance helps them buy stuff, get a seat at the table, raise there visibility. They’re wrong.

It is the risk tolerance of business management, not compliance, that increases budgets, political viability and organizational visibility.

Remember, risk is probability of loss event and probable loss magnitude. When considering the magnitude of probable losses, compliance is only one of six forms of monetary loss. As I mentioned in the Phishing Article recently - if there weren’t probable compliance losses, many F.I.’s wouldn’t care about anti-phishing expenditures that were out of wack with their actual response and replacement losses. If you think about loss that way, you understand that it’s only the increase in probable losses due to various compliance factors that presents a business case for new controls. It’s the risk tolerance of the business owner that buys the control. What happens when management will tolerate being out of compliance? Don’t know, but you can ask people with HIPAA concerns how well the threat of non-existent fines gets them a seat at the table.

So yes, even almighty compliance can be made subject to real risk management. In fact, understanding risk is the only way you’ll ever have control over the Cult and it’s members, because there’s real power in risk analysis. Good risk analysis will help you address those areas that the government wants you to address, and ignore the over-zealous external auditors and vendors with their superfluous findings and offerings. The next time an auditor wants to talk about a finding or a vendor wants to sell you a control, I encourage you not just to roll over, but to use FAIR to examine if their proposition has merit. You might just be surprised at what you find.

Posted on February 13