Using The Compliance Stick Actually Weakens You
Anton is the “PCI Guy” (sorry, not sure of his real title) at Qualys. If you haven’t seen them yet, he’s got some pretty ranty posts about PCI up. Which are awesome. In his most recent post he talks about the “Compliance First” mindset.
After I read the article, I thought “boy, Anton’s going to get a chorus of people saying that PCI compliance serves them well because it ‘gets them budget’”. So in thinking about his post and that probable response, it occurs to me that prescriptive compliance actually weakens our individual value to the organization in the long run.
HOW DO WE ACTUALLY GET “SECURE”?
I hope most readers will agree with me that “security” (a.k.a. the amount we can reduce risk) is a byproduct of more than just the technology we employ. In the hundreds of blogs that I subscribe to in our industry, just about once a month somebody writes a post the gently reminds us of this fact. But all this ruminating on the place and purpose of technology begs a rarely answered: If not technology, then what does make us “Secure”?
Let me offer something based on Jack Jones’ models. “Security” is more accurately measured by looking at:
- Our ability to make good decisions
- Our ability to execute on those decisions
THIS is what we should be making “checklists” for (1) and developing metrics around. All your technology purchases should be subservient to those two aims. Are you deciding to protect PII (like credit card numbers) because of your exposure to risk? Great! Encryption, Anti-Virus on servers, web application firewalls, all these things may help you execute that decision.
And then again, they may not. When I read Anton’s post, what immediately came to mind was all the shelfware I’ve seen purchased over the last ten years in the name of compliance. We can have all sorts of checklist compliance, but not be able to do a thing about prevention/detection/response because we cannot execute (no skills, no resources, no motivation, etc.).
THE EXECUTIVE DECISION
When we see shelfware, or huge amounts of tools bought and then managed by two or three low-paid jr. security engineers, when we cannote execute - this is indicative of someone’s decision. The decision to be compliant first (and only), and to execute using the premise that the majority of our risk is not due to primary threat communities (the folks we like to focus on; the fabeled Russian Business Network, some guy in Turkey, or other boogeymen), but most of our probable losses come from secondary threat communities (read:regulators).
Why do decisions like this get made? My assertion to you is that they’re made because we, security management, are unable to articulate risk and the value our capability to manage risk has to the organization.
See, your CFO, your CEO, and maybe even your CIO, they have things to worry about that are bigger than the latest Safari RSS vulnerability. They worry about things that have a higher likelihood and impact to them than even the potential compromise of the majority of SSL certs on the Interwebs. And unless you give them a reasoned, rational analysis of why they should care about these things in a manner that they can compare to their other problems on a same-to-same basis - they’re going to have to make those decisions themselves. Those decisions will be made intuitively, ad-hoc, with their own biases and ability to transfer personal risk (you’re the one fired, not them). And when they make that decision in that manner, you’re not a peer or much of anything other than the guy who “knows technical security but not business”.
What management needs is someone who is consultative in a manner that is without FUD, without bias, and allows them to make (or at least feel like they’re making) a good decision.
WHY PRESCRIPTIVE COMPLIANCE WEAKENS OUR INDUSTRY
Using prescriptive regulatory compliance to “get your way” removes your ability to be that consultant. So you don’t help make good decisions and therefore, in the eyes of management, have yet to earn the right to make the decisions you feel you need to make. In the long run, you turn into the “guy who manages our PCI stuff”, and your value is limited to doing just that. And therefore, so is your budget, your ability to execute, and ultimately, your “security”.
=============================
(1) after all, checklists do have their place
shrdlu Jan 15
You said it — talking compliance is just another form of talking vulnerability, and is therefore still FUD. And not even very impressive FUD, either (hackers are a lot more exciting than auditors).
Anton Chuvakin Jan 15
First, thanks for highlighting this!
>hackers are a lot more exciting than auditors
Maybe. However, I am getting a sad impression (stronger and stronger impression at that) that for a huge number of people auditors are MUCH scarier than hackers AND their threat is IMMINENT which hackers’ threat is questionable or at least questioned.
DwayneDibbly Jan 15
This is a fascinating topic. One thing that strikes me is that, one way and another, fear of auditors and ‘license to operate’ compliance (PCI/SAS70/ISO) is currently driving business ’security’ (their words not mine) spend, crumbs of which currently fall upon my table. That is a significant blind spot in an issue like this. That said, business is business, and it is driven by money. Having a good relationship with ‘the money’ to the extent that one can influence decisions to reflect the appropriate security posture (or indeed any technical posture for that matter) is about primarily about effective communication and realpolitik. That is a mighty large topic and one which has a strange relationship to concepts such as rationality (how ever much we think that paradigm is in the decision making ascendancy). Your point about decisions is crucial, my concern is that what makes a security practitioner does not always make a business executive. Perhaps, however unpalatable, we must go compliance first and security second. What makes us an effective security manager is that we don’t let the business forget/ignore the reality of the second. Steve Christey’s comment neatly sums up “The best security program is one in which the customers are exactly as safe as they want to be.” If PCI is all that is wanted by business’s end-customers, who am I to disagree (however muddleheaded that might be)?
Jack Jan 16
The challenge with “… customers being exactly as safe as they want to be” is that there’s a HUGE assumption at play. That assumption is that there’s some sort of known level of “safeness” associated with whatever compliance standard they’ve hitched their wagon to, AND that level of safeness matches their risk tolerance.
DwayneDibbly is absolutely right about security practitioners not always making great business executives. I’d go a step farther and submit that few security practitioners have the broader business perspective AND willingness to take risk that is necessary in business. (Lord knows I struggle with this.)
As for compliance first and security second — where does risk management fall into that? Third? Of course maybe I misunderstood and “security” was meant to include/reflect risk management. Either way, I have to agree that for some organizations (those starting from scratch, or nearly so) grabbing a reasonably defined standard (PCI not being one of those) as a place to begin can make sense. Unfortunately, too many of the practitioners I run into are all too happy to use the compliance crutch because they haven’t come to terms yet with the fact that their own beliefs don’t matter about what the “right” level of risk is for their organization.
DwayneDibbly Jan 19
@Jack
You last sentence is absolutely spot on!
I personally think security and risk are fundamentally intertwined - both are reflections of our fear and need to protect. One without the other is pointless (risk is like echo location for fear).
The power of the “customers…….” formulation (IMHO) is the realisation, also present in your last sentence, that the herd will make their own judgement regardless of it’s actual wisdom (and it is also likely to be fickle and unforgiving - “the nail that sticks out is hammered down”). A mature understanding of the cultural aspects of infosec is some way away, but is the missing intellectual piece in the infosec pantheon (IMHO). Finding the ‘level’ is praxis point between the political and the scientific faces of infosec.
Good business is to listen to the customer, and give them exactly what they want. Anything else is not worth the risk.
Tommy Landry Jan 20
That’s the key - strategic management of security, risk, etc. We see all too often that IT groups think the answer to their problems is to buy another monitoring tool to throw at their network. In reality, there are two missing components in that equation: WHY they are buying that particular tool, and WHETHER they’ve already got something that can solve the problem which just simply hasn’t been properly capitalized on yet.
And there’s no way to strategically tackle the problem if you don’t know exactly what is happening in the network itself. After all, how can you mitigate risk if you can’t quantify it?
The first step is to determine your goals. Next, audit what tools you already have available at your disposal. Third, figure out a way to maximize your utilization and coverage with those tools using a tool aggregation/optimization or similar product.
Alex Jan 20
Hi Tommy,
“WHY they are buying that particular tool, and WHETHER they’ve already got something that can solve the problem which just simply hasn’t been properly capitalized on yet.”
Taiichi Ohno’s 5 “Why’s” would seem appropriate, wouldn’t it?
Michael Dickey Jan 21
RE: Heartland Payment Systems: You’re right, of course, the question about their PCI compliance isn’t trivia or trivial. I think that was my idealistic side coming out hoping the PCI gets perceived back where it should be: as raising the bottomline, rather than the insinuation the media (and some business mgmt) makes that PCI compliant == secure. I doubt that; more likely PCI will be crucified publicly.
Sadly*, the people who pay will be the CSO/CISO when they get shown the door because they relied on PCI.
* Or maybe not so sadly if we want to apply survival of the fittest…
Tommy Landry Jan 22
Hi Alex,
Did you mean the 7Ws, or am I misunderstanding your feedback?
Tommy