The Dangers of Over-Reliance on Compliance

Consultants Charles Cresson Wood and Kevin Beaver offer a more holistic look at information security requirements

Have you noticed that many of the firms suffering high profile, serious, and expensive information security breaches have nonetheless been 'compliant' with certain laws, regulations, or standards? Consider the case of credit card processor Heartland Payment Systems, which recently suffered the unauthorized disclosure of over 100 million credit card and debit card transactions. The firm handles the transactions of over 175,000 merchants. Hundreds of banks have already had to reissue cards as a result of the breach. Note that Heartland was, at the time, certified as fully Payment Card Industry (PCI) compliant. Many other organizations that fall under various Federal, state, and industry regulations are continually experiencing breaches as well. According to The Chronology of Data Breaches (, millions of records have been compromised thus far in 2009.

Management at far too many organizations has been placing too much emphasis on compliance. Adequate information security cannot be achieved by simply being in compliance with all relevant laws, regulations, and standards. As much as management might like the definitive statement that this compliance provides (and certainly there are marketing benefits of such compliance), all these compliance efforts still say nothing about whether management has taken the time to do the necessary risk management. These compliance efforts still say nothing about whether management has struck the right balance between competing security-related objectives and struck this balance in a manner that is specific to the environment in question.

A common problem we see is the inability of information security and compliance managers to focus on what's important when it comes to compliance. Certain people focus solely on security operations, at the same time overlooking important technical issues. Others believe that running security scans on a periodic basis is enough. Some believe that running down a checklist of compliance requirements is all that's needed. Sorry, but it's not that simple. We've even seen situations where the people in charge weren't aware of what they needed to comply with, such as state breach notification laws. Wise managers know what they're up against and have the ability to determine what's appropriate in the context of the business rather than treat everything as black or white-right or wrong.

The Shifting Landscape

Part of the problem here is that these laws, regulations, and standards are static. In contrast, information security is dynamic, in fact very rapidly changing. Managers who believe that they are going to establish a secure environment by simply doing the minimum, simply becoming compliant with the requirements specified in laws, regulations, and standards (and hopefully legal agreements as well), will be woefully disappointed. A formal risk management process is instead required. Managers need to look at the unique circumstances of their computing environment-things like the level of user awareness about information security, the type of information systems technology deployed, the type of products and services offered. The nature of the controls needed will then be a function of these situation-specific factors. All of this work of course needs to be performed after a risk assessment is completed, an exercise that needs to take place at least every year. Information systems evolve and change too quickly to warrant anything less.

Another part of the problem is human nature. People want shortcuts-a direct result of the innate human need for instant gratification. Furthermore, people don't want to have to pay any more money than they have to, people don't want to have to think deeply or exert more effort when they are already overwhelmed with other matters. The problem is also a function of societal expectations. Wall Street focuses on short-term results, and rewards managers who cut costs today, even though these same managers may be risking the organization's bankruptcy in the longer term future.

Likewise, the legal system has not yet established the proper incentive systems. Often those in a position to do something about security problems are not legally liable for losses. For example, the operating system vendors are not being held liable for the many damages done by malware, such as Trojans, even though we have had the technology to eliminate malware entirely for many years (and it was in fact incorporated into many mainframe systems). The focus in the information security field has recently, as a result of these psychological and societal factors, been short-term and unduly narrow in scope.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliance

More about Amazon.comAmazon Web ServicesCA TechnologiesISMISOWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Charles Cresson Wood and Kevin Beaver

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts