When security compliance bites, IT's your job on the line

Even though many executives outwardly recognise the importance of data security, they are waiting 6 to 12 months for cybersecurity issues to be resolved as new apps and systems continue to be developed with processes that see security and compliance as afterthoughts.

It wasn't supposed to be that way, what with the need for business-IT alignment having become a core tenet of corporate IT strategy many years ago. But too many businesses still focus on functionality and revenue first, says Ajay Unni, and this is creating major gaps in their cybersecurity defences.

“Clients have traditionally struggled to reach the end goal of security compliance,” says Unni, who as CEO of security consultancy Stickman Consulting has worked with hundreds of companies to review and improve their information security.

“They don't want to spend the money, or don't know what to do – or they think they can do it all themselves and just need advisory support.” Even in organisations where security is recognised as important, Unni says, too many still implement it as an afterthought – “retrofitting security on top of whatever is there, without any strategic goals or policy regimes. People just come in and implement the business functionality and forget about security.”

The consequences of this approach are inevitably problematic for the company: an audit will reveal that they are not compliant with required standards – for example, the Payment Card Industry Digital Security Standard (PCI DSS) – and fines accumulate while they rush to implement this compliance. “Businesses are working to different security standards and their security programs are all a mess,” he explains. “A business will say a new app is highly critical and going to the public so they do penetration testing – but the next day they launch the Web site.

We did a PCI assessment 12 months ago and they're still trying to fix the vulnerabilities and the gaps we found.” To improve the overall practice of cybersecurity, Unni has in recent years been promoting the idea of 'security by design' – encouraging clients to consider the security implications of new infrastructure and new projects from the earliest days, so that security can be built into new projects from the beginning rather than becoming a problematic obstacle later on.

He likens the difference to fitting security and data wiring to a building: an old house may not provide appropriate conduits and will require conduits to be run outside the building, whereas a new office building will provide such passageways inside the walls. Business confusion around cybersecurity isn't only their fault, Unni concedes: with many different security acronyms bandied about and little clear demarcation between them, many organisations try to be comprehensively compliant with numerous policies at once – and struggle to find and keep appropriate staff with the skills to meet those policy requirements.

One client Stickman recently worked with, for example, was simultaneously trying to manage its systems to the requirements of PCI DSS, ISO, ASD Information Security Manual (ISM) requirements and Australian Privacy Principles (APPs). “They were scrambling to get anybody with the right kind of relevant skills,” Unni recalls. “They had one set of policies for PCI, one for ISO, and so on. It was a complete nightmare. And it looks nasty because it just looks like security companies are trying to keep their businesses aligned by complicating things. We've always believed in simplifying things.”

By adopting a security by design approach, businesses focus on implementing appropriate security controls early in their project and maintain those controls throughout implementation and ongoing review. This approach provides clear visibility of security controls and how they map to the various compliance standards that are required. “We have committed to make this easier for our clients,” Unni says.

“You can't keep going out and giving clients 50,000-line Excel spreadsheets and 1000-page gap analyses that never get acted upon. We need actionable frameworks to help companies navigate their security requirements.” In a nod to the need for change, some businesses are encapsulating these processes into dedicated internal cybersecurity units and 'cybersecurity framework offices' that maintain staff whose specific purpose is to manage compliance with cybersecurity standards.

This approach allows companies to delegate responsibility and reporting requirements up and down the company as well as across the business – providing a central authority on cybersecurity standards whose uniform approach can help avoid the chaos of current retrofitting practices.

Such compliance can also be essential in meeting the recently tightened requirements of PCI DSS, which in mid 2015 added five new requirements that must be met to achieve compliance and was more recently upgraded again so that from February 2018 compliance will also require better authentication, encryption and active penetration testing.

With a recent Verizon audit of PCI compliance finding that not a single company was fully compliant with even the previous PCI DSS standards, the need for assistance cannot be overstated. Fines for non-compliance can be significant: if a security breach causes the loss of 10,000 credit card numbers, merchants can be hit with a fine on the order of $US250,000 ($A329,000).

It's particularly important for merchants to remember that they have to retain and continually audit their security controls even after achieving the PCI DSS certification – something that Verizon found has not always been happening in practice.

Guidance around the best security standards to use is also important for organisations looking to improve their security, many of which are trying to implement PCI DSS to protect all their data. “Many potential clients have had no idea how onerous PCI is,” Unni says. “You'd have to treat all personally identifiable information as credit cards and put all the PCI controls against them. But either you do PCI or you don't do PCI; there is no 50 percent compliance.”

Over time, Unni is continuing to lead potential clients away from tick-the-box compliance exercises that often end up being far more complex than they would expect, and towards a more holistic, flexible approach to security by design that can support their business in the long term.

This, he says, means creating organisational self-sufficiency around cybersecurity, with appropriate executive sponsorship, clear reporting lines, and relevant consulting capabilities and security-as-a-service offerings. “CSOs must realise that cybersecurity is now going to come bite you,” Unni says. “It's your job on the line and you can't say that it's an IT issue anymore.

By transitioning businesses into an as-a-service model so there is consistency and longevity, they will become more mature organisations.” “Rather than calling in a security firm every time there is a problem or an assessment, we create a clear and consistent program of work to build and operate that security program office on an ongoing basis.”

Join the CSO newsletter!

Error: Please check your email address.

Tags asddata securityit alignmentCSO Buyers GuidesecurityverizonPCI DDSISMScyber security

More about ExcelISMISOStickman ConsultingVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place