“Surplus” of security frameworks breeding complacency, panel warns

Security practitioners have so many potential security frameworks to choose from that their effectiveness is being compromised as companies spend too much energy focused on achieving compliance rather than maintaining it, industry experts have warned.

Speaking in a security panel session at this week's Cisco Live! technical conference, Australian Cyber Security Research Institute CEO Gary Blair warned that while standards such as ISO 27000 and the COBIT had value in providing guidance for the establishment of overarching security frameworks, “most of those are too large and too complete for organisations to embrace.”

More pragmatic frameworks targeted directly at cybersecurity, such as the Australian Signals Directorate's 35-item Strategies to Mitigate Targeted Cyber Intrusions, offered a more achievable target for organisations wanting to improve their security, Blair said.

“We have a surplus of frameworks but that is one I would recommend to everyone to consider,” he said. “I recommend it to all the corporates we deal with because it cuts through all of the issues” typical organisations face in securing their environments.

Telstra chief information security officer Mike Burgess agreed that an over-reliance on security frameworks often gave organisations an inflated sense of security.

“There are a number of security frameworks out there,” he said, “and I have seen organisations that implemented those frameworks well but still get hacked. You have to know what you care about and focus on that – not just focusing on completing a tick-and-flick exercise to complete the framework of your choice.”

Such a focus on compliance often misdirects security compliance efforts, Cisco Systems senior vice president John Stewart, who also serves as the company's chief security and trust officer, warned.

“Companies are trying to figure out security in an organised and consistent way, but they have so many frameworks that they are struggling to allow for consistency across the business,” Stewart explained.

“Most are struggling to allow best practice. And by the time you get a framework implemented, the world has moved on. A tick-and-flick approach may have enabled this thing that enables this concept of comfort, but hasn't made a meaningful dent in the risk that you're taking.”

Without constant vigilance, even compliant organisations aren't likely to stay that way. Verizon's recent 2015 PCI Compliance Report, for example, found that just 28.6 of companies were still compliant with PCI DSS – a required standard for any company handling credit-card data – a year after their initial certification.

The yawning gap between compliance and security was a key theme throughout the course of the panel discussion, in which the overreaching concept of trust was outed as being a key goal of organisational security efforts.

With today's data-driven environment so “dynamic”, said Cisco Security Business Group chief technical officer Bret Hartman, the key to successfully defending an environment lies in ensuring that it is continually revisited to ensure that it remains relevant as the threat landscape changes.

“Back in the day, vendors had to prove that their system was worthy of trust and they would follow a bunch of static guidelines to prove their system was worthy of trust,” he explained. “Then they would declare victory and say that the system was done.”

These days, however, proving and maintaining trust was a continuous effort. “Threats have changed so much, and our systems are so complex, that any notion of static assurance and proof that a system has trust, just doesn't work. The systems must be gathering evidence constantly, and you have to prove that you're worthy of that trust.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritycobitISO 27000elstra chief information security officersecurity frameworksCEO Gary BlairCyber IntrusionssurplusJohn StewartCisco Systemsindustry expertsVerizon'ssecurity practitionersBret HartmanCisco Live!CSO AustraliaMike BurgessAustralian Cyber Security Research Institute

More about CiscoCisco SecurityCSOEnex TestLabISOVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts