Compliant, Yet Breached: Compliance vs. Security

“The hackers focused on overcoming our security controls while the security and compliance teams were measuring our security in terms of adherence with formal compliance certification.”¹ This was the surprised analysis of the success of a global ransomware attack from a Fortune 500 victim’s compliance and security matters experts. Target, SecurePay, Sally Beauty, FedEx, Staples, Dairy Queen, KMart and many other enterprises that have certifications of compliance with a security standard, yet suffered breaches, have 24/7 professional teams focused on maintaining their security and compliance status. (The list of enterprises in the “compliant with certifications, yet breached” category may even be longer, as breaches are rarely acknowledged to maintain the optics of reputation. Breaches reveal just the tip of the iceberg.)

Remaining certified requires the security and compliance teams of all major enterprises to constantly manage all the security activities required by stringent standards in addition to maintaining the evidence of adherence to these controls for security auditors. However, ransomware-like breaches occur despite paper certifications confirming the existence of adequate security controls. Some compliant, but breached companies, such as Target, have initiated legal action against the security specialists and auditors they enlisted to assist in achieving Payment Card Industry Data Security Standard (PCI DSS) compliance certifications. The cost for compliance certification typically runs from a few hundred thousand US dollars in audit services to a few million US dollars in changes required for the compliance status. This leads to the uncomfortable million-dollars-in-security-compliance-investment question: Are the huge cost and pain of changes required for compliance certification worth the effort if becoming certified does not provide the desired result and a level of security comfort to the enterprise?

Answering this question requires analyzing the relationship between compliance and security so stakeholders can avoid unrealistic expectations and derive the maximum benefit of synergy between the two strategies. A look at the dictionary reveals the following:

• Compliance—The act or process of complying to a desire, demand, proposal, regimen or coercion to achieve security, for the purposes of this article²
• Security—The state of being free from danger or threat. For this purpose, information security dangers are in scope of this definition.³

Compliance, therefore, is an act while security is a noun—the objective. The relationship between the action and the objective can lead to four possible combinations of relationships and status for organizations:

1. Neither compliant with any standards nor secure
2. Secure in a limited way, but not compliant with any standards
3. Compliant with standards, but insecure in reality
4. Secure and compliant

Neither Compliant Nor Secure

Compliance with a security standard is, at times, a voluntary effort by executives to show required due diligence in management of an enterprise’s security processes. Some security compliance standards are mandatory and depend on the business processes and profile of the entity. Any organization in the United States dealing with credit card information needs to comply with PCI DSS and those dealing with health information must satisfy US Health Insurance Portability and Accountability Act (HIPAA) requirements. Security compliance, however, is not mandatory for all organizations and the team in the organization described in this scenario took advantage of this factor. The organization considered that its business profile enabled it not to comply with any security standard as it was dealing with neither credit cards nor health information. Neither was it in scope for the US Sarbanes-Oxley Act of 2002 (SOX) compliance. It was only the huge impact of ransomware, when its systems were locked out, impacting operations, that revealed the need for compliance and security in the environment.

The root cause was identified as the executives having a limited view of the importance of data security or its possible impact. They did not leverage any security compliance framework in this organization’s environment. The business entity was successful in avoiding the pain of changes required to meet security compliance, but it resulted in a lower enterprise-level security posture, impacting critical operations and reputation.

All responsible organizations need to understand the importance of digital data security, and alignment with any recognized security standard is a duty and an obligation to their customers and stakeholders. Compliance efforts to align with any security standard of the organization’s choosing will ensure a tangible show of due diligence by management of its data security obligations. Efforts to align with any security framework will show any organization its gaps and what to do to ensure a secure environment.

There is almost no organization that does not have sensitive information. Even if an organization does not have credit card or personal health information, it likely has some personal information of its own staff as well as operational, intellectual or proprietary information, making it important to follow some set of security standards at an enterprise level.

Secure, but Not Compliant

The organization described in this scenario is defense-related and was secure in a limited way. The company had the latest firewalls, but just as getting a Ferrari does not make one a better driver, new technology does not guarantee compliance and security. The firewalls were installed and the organization considered itself to be secure from external access and breaches caused by external hackers. The executives did not feel the need to take up the challenge of becoming compliant with any security standards as they felt the firewalls were their fortress walls and the answer to all their security requirements. Therefore, they were surprised when their organization lost data due to malware that had infected its systems via a third-party vendor’s access that had been provided for maintenance of temperatures in the server rooms. Another organization was breached due to a customized personalized email attack (spearphishing) with malware content that circumvented the network security controls. Another similarly secure organization experienced data loss due to internal issues caused by a former disgruntled employee.

Data security is based on a combination of people, processes and technologies working in conjunction to provide a higher level of security to business entities. All recognized industrial security standards, such as International Organization for Standardization (ISO)’s ISO 27002:2015, PCI DSS and HIPAA, take into consideration all these aforementioned security threats. All standards require documentation and formalizing of processes relating to data security, ranging from periodic network security reviews to managing third-party vendors. Had the organizations described in the preceding paragraph made any effort to satisfy the recognized compliance security standards, it would have uncovered gaps regarding these threats as opposed to focusing on only the network or technology aspect.

The issue with noncompliance with standards is usually a corresponding immaturity in critical processes (e.g., inadequate documentation). Without formal documentation, there is no proof of a system of management of all the IT-related security processes. It is analogous to a traveler in an airport who has lost his/her passport—that traveler is a person, but without a passport or other appropriate evidence of his/her presence, he/she is “not” a person and, therefore, may not be admitted to a flight or another country. Similarly, the presence of formal documentation of security processes shows a system of management of these activities to be in place at a formal professional level.

Compliant, but Not Secure

In this scenario, sensitive point-of-sale (POS) devices were secured by locks and monitored by cameras as required for PCI DSS compliance. The organization owning the POS devices, therefore, met the compliance certification conditions.

However, despite these security controls, there was a breach. The locks were of lower quality and were easily opened and the camera resolution was so bad that it recorded nothing in the darkness, enabling tampering of the POS devices leading to data losses. It was discovered that the finance department of the organization had denied the request for superior locks and cameras due to budget considerations.

The root cause existed in the organization’s focus on the letter of the compliance standard while disregarding the spirit of the framework—a combination that led to a breach and loss of reputation. It installed locks and cameras, thus meeting the security standards requirements, but by opting for cheaper variants, it disregarded the spirit and intent of the framework.

To resolve this situation, an organization should aim to satisfy the spirit of the security standard instead of focusing only on the wording of the framework. A security control should be of a higher quality to be effective and not exist only to meet the compliance condition formally on paper.

Secure and Compliant

The fourth relationship combination is the eventual aim of the cyber security efforts and is, therefore, challenging to achieve.

The ideal scenario is to achieve a perfect balance between compliance and security status by synergizing these two forces and strategies. The resolution is to use compliance as a stepping stone to finally achieve a more mature secure status of the enterprise environment.

Step 1: Achieve formal compliance certification by meeting the compliance requirements.

• Achieve board-level consensus to adopt and implement a security compliance standard that fits the organization’s needs and profile.
• Conduct a self-assessment of the organization’s status quo or a third-party assessment to identify compliance gaps.
• Involve all relevant key stakeholders of data security to review the gaps and accept the gap findings.
• Create a road map based on the gaps’ remediation.
• Bridge the gap between the compliance status and the status quo using the gap remediation road map.

The outcome is to achieve formal compliance certification for the data environment. It may be necessary to leverage the audit and assessment services of a risk assessment partner who has the right to review and certify the security status.

Step 2: After achieving formal compliance, satisfy the spirit of the standard to evolve governance. Evolve to a more mature security posture by maintaining compliance and then implementing data security strategies at a program level, thus satisfying the spirit of compliance.

For example, PCI DSS compliance makes it mandatory to have firewall rules reviewed every six months. After meeting this compliance condition, satisfy the spirit of compliance by ensuring that this control activity is refined. Consider making it mandatory in your enterprise to have all risk factors identified during such reviews to be managed and closed appropriately within reasonable time.

• Adopt and create a governance model for the achieved certified compliance status.
• Implement a dynamic strategic program to maintain security status in alignment with the continually changing threat landscape.
• Maintain compliance by implementing formal policies/procedures and refine controls for all the key controls to satisfy the spirit of the compliance standard.
• Assess the security processes/procedures based on the compliance framework to create key performance indicators (KPIs) for all security processes identified by the security standards.
• Use KPIs of security processes under the governance of the information security governance team to achieve the next, more mature enterprise security level.

Conclusion

The ransomware-like breaches that affected even organizations that had certifications showing compliance with security standards have made it relevant to review the relationship between formal security certification and the actual security status of organizations. It is clear that a formal certification of compliance with any standard does not necessarily equal a mature overall security posture, and vice versa. However, the power of both strategies can be harnessed by using formal compliance frameworks and certification as a milestone on the strategic road map to an enhanced enterprise-level security posture. Instead of thinking in terms of security vs. compliance, a better option is to achieve security via compliance.

Industry experts know that a breached, yet compliant status for an organization means that most champions of compliance had lulled themselves into a false sense of security by focusing only on the spirit of the compliance standard. They had mistaken the path to compliance for the end objective, which is to have a more mature security posture. To achieve the desired level of security posture, an entity can first meet the letter of the compliance certification, which is easier to satisfy, and then move on to satisfy the spirit and intent of the compliance standard by focusing on KPIs for all security-related processes defined in the security standards and encompassing all relevant processes, technologies and human resources.

Endnotes

¹ The author of this article was working with the client team when the news of the breach hit them and was struck by the accuracy of the comment.
² Merriam-Webster Dictionary, “compliance,” https://www.merriam-webster.com/dictionary/compliance
³ Oxford English Dictionary, “security,” https://en.oxforddictionaries.com/definition/security