Several weeks ago an Australian friend of mine sent me a delightful note pointing out how recent events and media reporting had confirmed some controversial points I had made last year in the Australian press
There is now growing evidence that compliance does not guarantee security, though the reverse can sometimes be true. For many years I have been lecturing on the difference between real security and compliance. Most security professionals instinctively get it. But the distinction is not addressed adequately in training courses or acknowledged by institutes, so the practice remains riddled with misconceptions about the roles effectiveness of security and compliance.
The reason we have compliance is because people do not willingly spend time or money on security. Business has no appetite for spending money to dodge risks that have yet to materialise. And there is no guaranteed return on investment for security. It’s a leap of faith, the type of thing that finance managers hate. Without compliance there would be little or no security in today’s more demanding commercial environment.
But a compliance programme cannot make an enterprise secure. On the one hand it’s designed to improve matters, so one could argue it’s better than nothing. On the other hand it can be counter-productive as it diverts scarce resources from addressing more immediate, specific risks. (This is a debate I regularly have with Professor Fred Piper.) In the absence of a major incident, however without compliance nothing would get done. So we need it and we would demand it if it was not there.
Compliance can make a difference but it’s painfully slow and expensive. The PCI DSS standard comes in for lots of stick. But without it, the level of payment card fraud would be higher. It might not be perfect or efficient but it motivates a lot of security improvement in an area that has traditionally been dangerously open to compromise.
It would be nice to think that good security would guarantee compliance. Unfortunately that’s not correct either. Regulators and auditors require a large number of small boxes to be ticked and an unreasonable amount of processes, paperwork and evidence to support security claims. Smart, slick operators do not survive audits. Compliance rewards bureaucratic security managers.
If you take a look in any leading financial enterprise today you are likely to find hundreds of security professionals being driven by thousands of auditors of varying kinds. Twenty years ago these functions were a tiny fraction of their size today. Yet security has not visibly improved. Ninety percent of the work is focused on developing content-free processes, counting assets, assessing risks, writing policies that go unread, measuring last year’s performance or generating evidence that a control is in place. Very little work is focused on implementing real countermeasures.
Efficient and effective security will only happen following three things. Firstly, a great big incident or liability that scares directors into spending money on countermeasures that actually work. Secondly, an understanding by the security profession of the root causes of incidents and the approaches needed to eliminate them. And thirdly, the recognition that large-scale culture changes are possible if top management is sufficiently motivated.
Some supporting evidence for these claims can be found in the history of industrial safety. In the early part of the last century many production methods were unacceptably dangerous, especially in the United States. It took many decades to drive through change, but by the end of the century safety was transformed and embedded across manufacturing industries. Some of this was driven by compliance but the largest cultural changes were directed by executive boards and shaped by an understanding of the root causes of incidents, the nature of an effective safety culture, and a genuine recognition that safety is everybody’s responsibility. In the security profession we are a long, long way from achieving that goal.