When security compliance bites, IT's your job on the line
- 02 June, 2016 11:42
Even though many executives outwardly recognise the importance of data security, they are waiting 6 to 12 months for cybersecurity issues to be resolved as new apps and systems continue to be developed with processes that see security and compliance as afterthoughts.
It wasn't supposed to be that way, what with the need for business-IT alignment having become a core tenet of corporate IT strategy many years ago. But too many businesses still focus on functionality and revenue first, says Ajay Unni, and this is creating major gaps in their cybersecurity defences.
“Clients have traditionally struggled to reach the end goal of security compliance,” says Unni, who as CEO of security consultancy Stickman Consulting has worked with hundreds of companies to review and improve their information security.
“They don't want to spend the money, or don't know what to do – or they think they can do it all themselves and just need advisory support.” Even in organisations where security is recognised as important, Unni says, too many still implement it as an afterthought – “retrofitting security on top of whatever is there, without any strategic goals or policy regimes. People just come in and implement the business functionality and forget about security.”
The consequences of this approach are inevitably problematic for the company: an audit will reveal that they are not compliant with required standards – for example, the Payment Card Industry Digital Security Standard (PCI DSS) – and fines accumulate while they rush to implement this compliance. “Businesses are working to different security standards and their security programs are all a mess,” he explains. “A business will say a new app is highly critical and going to the public so they do penetration testing – but the next day they launch the Web site.
We did a PCI assessment 12 months ago and they're still trying to fix the vulnerabilities and the gaps we found.” To improve the overall practice of cybersecurity, Unni has in recent years been promoting the idea of 'security by design' – encouraging clients to consider the security implications of new infrastructure and new projects from the earliest days, so that security can be built into new projects from the beginning rather than becoming a problematic obstacle later on.
He likens the difference to fitting security and data wiring to a building: an old house may not provide appropriate conduits and will require conduits to be run outside the building, whereas a new office building will provide such passageways inside the walls. Business confusion around cybersecurity isn't only their fault, Unni concedes: with many different security acronyms bandied about and little clear demarcation between them, many organisations try to be comprehensively compliant with numerous policies at once – and struggle to find and keep appropriate staff with the skills to meet those policy requirements.
One client Stickman recently worked with, for example, was simultaneously trying to manage its systems to the requirements of PCI DSS, ISO, ASD Information Security Manual (ISM) requirements and Australian Privacy Principles (APPs). “They were scrambling to get anybody with the right kind of relevant skills,” Unni recalls. “They had one set of policies for PCI, one for ISO, and so on. It was a complete nightmare. And it looks nasty because it just looks like security companies are trying to keep their businesses aligned by complicating things. We've always believed in simplifying things.”
By adopting a security by design approach, businesses focus on implementing appropriate security controls early in their project and maintain those controls throughout implementation and ongoing review. This approach provides clear visibility of security controls and how they map to the various compliance standards that are required. “We have committed to make this easier for our clients,” Unni says.
“You can't keep going out and giving clients 50,000-line Excel spreadsheets and 1000-page gap analyses that never get acted upon. We need actionable frameworks to help companies navigate their security requirements.” In a nod to the need for change, some businesses are encapsulating these processes into dedicated internal cybersecurity units and 'cybersecurity framework offices' that maintain staff whose specific purpose is to manage compliance with cybersecurity standards.
This approach allows companies to delegate responsibility and reporting requirements up and down the company as well as across the business – providing a central authority on cybersecurity standards whose uniform approach can help avoid the chaos of current retrofitting practices.
Such compliance can also be essential in meeting the recently tightened requirements of PCI DSS, which in mid 2015 added five new requirements that must be met to achieve compliance and was more recently upgraded again so that from February 2018 compliance will also require better authentication, encryption and active penetration testing.
With a recent Verizon audit of PCI compliance finding that not a single company was fully compliant with even the previous PCI DSS standards, the need for assistance cannot be overstated. Fines for non-compliance can be significant: if a security breach causes the loss of 10,000 credit card numbers, merchants can be hit with a fine on the order of $US250,000 ($A329,000).
It's particularly important for merchants to remember that they have to retain and continually audit their security controls even after achieving the PCI DSS certification – something that Verizon found has not always been happening in practice.
Guidance around the best security standards to use is also important for organisations looking to improve their security, many of which are trying to implement PCI DSS to protect all their data. “Many potential clients have had no idea how onerous PCI is,” Unni says. “You'd have to treat all personally identifiable information as credit cards and put all the PCI controls against them. But either you do PCI or you don't do PCI; there is no 50 percent compliance.”
Over time, Unni is continuing to lead potential clients away from tick-the-box compliance exercises that often end up being far more complex than they would expect, and towards a more holistic, flexible approach to security by design that can support their business in the long term.
This, he says, means creating organisational self-sufficiency around cybersecurity, with appropriate executive sponsorship, clear reporting lines, and relevant consulting capabilities and security-as-a-service offerings. “CSOs must realise that cybersecurity is now going to come bite you,” Unni says. “It's your job on the line and you can't say that it's an IT issue anymore.
By transitioning businesses into an as-a-service model so there is consistency and longevity, they will become more mature organisations.” “Rather than calling in a security firm every time there is a problem or an assessment, we create a clear and consistent program of work to build and operate that security program office on an ongoing basis.”