Security practitioners have so many potential security frameworks to choose from that their effectiveness is being compromised as companies spend too much energy focused on achieving compliance rather than maintaining it, industry experts have warned.
Speaking in a security panel session at this week's Cisco Live! technical conference, Australian Cyber Security Research Institute CEO Gary Blair warned that while standards such as ISO 27000 and the COBIT had value in providing guidance for the establishment of overarching security frameworks, “most of those are too large and too complete for organisations to embrace.”
More pragmatic frameworks targeted directly at cybersecurity, such as the Australian Signals Directorate's 35-item Strategies to Mitigate Targeted Cyber Intrusions, offered a more achievable target for organisations wanting to improve their security, Blair said.
“We have a surplus of frameworks but that is one I would recommend to everyone to consider,” he said. “I recommend it to all the corporates we deal with because it cuts through all of the issues” typical organisations face in securing their environments.
Telstra chief information security officer Mike Burgess agreed that an over-reliance on security frameworks often gave organisations an inflated sense of security.
“There are a number of security frameworks out there,” he said, “and I have seen organisations that implemented those frameworks well but still get hacked. You have to know what you care about and focus on that – not just focusing on completing a tick-and-flick exercise to complete the framework of your choice.”
Such a focus on compliance often misdirects security compliance efforts, Cisco Systems senior vice president John Stewart, who also serves as the company's chief security and trust officer, warned.
“Companies are trying to figure out security in an organised and consistent way, but they have so many frameworks that they are struggling to allow for consistency across the business,” Stewart explained.
“Most are struggling to allow best practice. And by the time you get a framework implemented, the world has moved on. A tick-and-flick approach may have enabled this thing that enables this concept of comfort, but hasn't made a meaningful dent in the risk that you're taking.”
Without constant vigilance, even compliant organisations aren't likely to stay that way. Verizon's recent 2015 PCI Compliance Report, for example, found that just 28.6 of companies were still compliant with PCI DSS – a required standard for any company handling credit-card data – a year after their initial certification.
The yawning gap between compliance and security was a key theme throughout the course of the panel discussion, in which the overreaching concept of trust was outed as being a key goal of organisational security efforts.
With today's data-driven environment so “dynamic”, said Cisco Security Business Group chief technical officer Bret Hartman, the key to successfully defending an environment lies in ensuring that it is continually revisited to ensure that it remains relevant as the threat landscape changes.
“Back in the day, vendors had to prove that their system was worthy of trust and they would follow a bunch of static guidelines to prove their system was worthy of trust,” he explained. “Then they would declare victory and say that the system was done.”
These days, however, proving and maintaining trust was a continuous effort. “Threats have changed so much, and our systems are so complex, that any notion of static assurance and proof that a system has trust, just doesn't work. The systems must be gathering evidence constantly, and you have to prove that you're worthy of that trust.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.