Using compliance as a tool for change

Our manager leverages gaps in security compliance to enhance the security program

One of my guiding principles is that compliance does not equal security. Compliance isn’t a true representation of how well companies use security to protect themselves. It can be little more than checking all the boxes and telling the auditors what they want to hear. After all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.

I am no fan of compliance for its own sake. The problem with it is that too many companies and auditors don’t dig deeper and think about what, beyond compliance, would really make the company more secure.

Of course, at my company, we often find ourselves needing to come into compliance with various regulations — there’s no avoiding that. Customers expect us to maintain certain levels of compliance, and our bank requires us to be PCI-compliant, since we store and process credit cards. Reaching compliance can be arduous, and even exhausting, but it does have at least one great benefit: It’s a highly useful tool for leveraging change that I, as the security manager, fully endorse but haven’t been able to effect otherwise. In the name of compliance, you often find you can create new policies, implement new processes and deploy new technologies without a fight.

Just recently, months of nagging our IT guys to make sure that all end users’ PCs have up-to-date antivirus software finally came to a happy end when the matter became a compliance issue.

We have been pushing antivirus patches via a management server that monitors the patch status of all clients. The problem was that remote employees could work for long stretches without ever allowing that server to check their antivirus status. Because all of the applications that they use to get their work done are available as software as a service, they never feel a need to establish a secure VPN connection to our network.

The IT guys and I went back and forth on this for months, and we’d probably still be doing so months from now if not for the auditors listing this situation as an “exception” in their findings document for our SSAE 16 Service Organization Control report — a report that is shared with our customers. That’s when several executives got very interested in our VPN requirements. I was able to show them the long string of emails that had passed between me and the IT department on this very subject and — what do you know? — the result was immediate change. We have modified the architecture and securely exposed the management server to the internet so that remote employees are now able to effortlessly communicate with the management server to report status.

Since I had the ear of upper management, I thought it would be a good time to address some other things that I would classify under general hygiene. Too often, I have come across PCs and servers with outdated patches for operating systems and things such as Adobe, Flash and Java. Now, the IT department has been given a mandate from on high to get things in order.

Using compliance shortfalls to upgrade our security practices isn’t unusual. Last year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls. And relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs. PCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it. So now we’re enforcing encryption for 100% of our company-owned PCs. Such widespread use of encryption has a beneficial side effect, since many states now provide a “safe harbor,” meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.

I have even used compliance to improve our security badges. When I was hired a few years ago, the company used plain white proximity badges. Our badges now include a picture, name and other features that identify the user as an employee or contractor.

I expect more compliance-driven security improvements in the future, since we are seriously considering becoming HIPAA-compliant.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ApacheAppleClickCustomersLinuxMacsOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts