Have you noticed that many of the firms suffering high profile, serious, and expensive information security breaches have nonetheless been 'compliant' with certain laws, regulations, or standards? Consider the case of credit card processor Heartland Payment Systems, which recently suffered the unauthorized disclosure of over 100 million credit card and debit card transactions. The firm handles the transactions of over 175,000 merchants. Hundreds of banks have already had to reissue cards as a result of the breach. Note that Heartland was, at the time, certified as fully Payment Card Industry (PCI) compliant. Many other organizations that fall under various Federal, state, and industry regulations are continually experiencing breaches as well. According to The Chronology of Data Breaches ( www.privacyrights.org), millions of records have been compromised thus far in 2009.
Management at far too many organizations has been placing too much emphasis on compliance. Adequate information security cannot be achieved by simply being in compliance with all relevant laws, regulations, and standards. As much as management might like the definitive statement that this compliance provides (and certainly there are marketing benefits of such compliance), all these compliance efforts still say nothing about whether management has taken the time to do the necessary risk management. These compliance efforts still say nothing about whether management has struck the right balance between competing security-related objectives and struck this balance in a manner that is specific to the environment in question.
A common problem we see is the inability of information security and compliance managers to focus on what's important when it comes to compliance. Certain people focus solely on security operations, at the same time overlooking important technical issues. Others believe that running security scans on a periodic basis is enough. Some believe that running down a checklist of compliance requirements is all that's needed. Sorry, but it's not that simple. We've even seen situations where the people in charge weren't aware of what they needed to comply with, such as state breach notification laws. Wise managers know what they're up against and have the ability to determine what's appropriate in the context of the business rather than treat everything as black or white-right or wrong.
The Shifting Landscape
Part of the problem here is that these laws, regulations, and standards are static. In contrast, information security is dynamic, in fact very rapidly changing. Managers who believe that they are going to establish a secure environment by simply doing the minimum, simply becoming compliant with the requirements specified in laws, regulations, and standards (and hopefully legal agreements as well), will be woefully disappointed. A formal risk management process is instead required. Managers need to look at the unique circumstances of their computing environment-things like the level of user awareness about information security, the type of information systems technology deployed, the type of products and services offered. The nature of the controls needed will then be a function of these situation-specific factors. All of this work of course needs to be performed after a risk assessment is completed, an exercise that needs to take place at least every year. Information systems evolve and change too quickly to warrant anything less.
Another part of the problem is human nature. People want shortcuts-a direct result of the innate human need for instant gratification. Furthermore, people don't want to have to pay any more money than they have to, people don't want to have to think deeply or exert more effort when they are already overwhelmed with other matters. The problem is also a function of societal expectations. Wall Street focuses on short-term results, and rewards managers who cut costs today, even though these same managers may be risking the organization's bankruptcy in the longer term future.
Likewise, the legal system has not yet established the proper incentive systems. Often those in a position to do something about security problems are not legally liable for losses. For example, the operating system vendors are not being held liable for the many damages done by malware, such as Trojans, even though we have had the technology to eliminate malware entirely for many years (and it was in fact incorporated into many mainframe systems). The focus in the information security field has recently, as a result of these psychological and societal factors, been short-term and unduly narrow in scope.