This is the second installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches to compliance and the challenges of shifting from a point-in-time compliance mentality to a continuous compliance one. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security documented in compliance requirements.
In the first installment of this series, I pointed out that the point-in-time compliance mentality is commonplace in the marketplace today and manifests itself in several ways:
- The project mindset: setting up a team to demonstrate compliance at a point in time only
- The technology-only investment mindset: acquiring prescribed technology with little thought to implementation and process
- The reactionary mindset: “fire drills” that crop up when an urgent need arises
A security team could be entrenched in one (or more) of these mindsets without a concerted effort to break the cycle. And such a mentality perpetuates these 3 common compliance myths:
Myth #1: Demonstrating compliance at a point in time amounts to compliance throughout the year
The false sense of security resulting from passing an annual assessment, combined with the subsequent and inevitable drift out of compliance over time, sets an organization up for an increased risk of data breaches. According to Verizon, 80% of those that passed their annual PCI assessment drifted out of compliance shortly thereafter, busting this myth wide open. To that end, it is no surprise that the “continuous” concept is becoming a key component in more and more compliance frameworks. More to come on this topic in the next installment of this blog series.
Myth #2: Reactionary cycles are always productive and without opportunity cost
As many of us have experienced, reactionary cycles build on one another and fight against the key planning concept “build the plan, work the plan.” Ironically, well thought out, forward-thinking planning efforts may reduce future reactionary cycles. In such a culture of reactionary cycles, it’s easy to question “Why work a plan, or commit to work, when you know full well there are many more fire drills coming around the corner which are going to trump the plan?” To this end, employees can’t help but resign themselves to a culture of reactionary cycles with no room (or hope) for continuous improvement.
Myth #3: Processes and technology usage are the same
Perhaps this myth is really an “unconscious assumption.” Yes, technology usage could be considered a process, but, take it a step further and consider these questions:
- How repeatable is that process?
- Could someone else step in and execute the same process?
- Is there a system in place that ties one process to another, such as interdepartmental handoffs?
- Who’s monitoring these processes to ensure all gaps are closed?
- Are there processes to manage the processes?
To ask a question we all already know the answer to: “Have there been breaches where effective, perfectly capable technologies were in place? Did process gaps play a significant role in a business-crippling data breach?” Prior to a data breach, the value provided by processes may seem intangible and hard to quantify. Only afterwards, after suffering significant losses, does the tangible value of those processes become crystal clear. Consider this:
- Do you view processes as if they are business assets?
- Do you think about how to increase the value of those “process assets?”
Opportunity for process maturity
There’s plenty of room to build more mature, repeatable, continuous processes
If your organization is like most, there’s plenty of room to build more mature, repeatable, continuous processes. Though security experts are knowledgeable and proficient with security concepts and tools, they may not be as well-versed in process methodologies such the Capability Maturity Model or Six Sigma. And if they are, are they too consumed by reactionary cycles to put that knowledge to good use? Businesses think about optimizing productivity of personnel and maximizing ROI of their product purchases. Should processes be viewed any differently?
Consider the following Six Sigma doctrine:
Continuous efforts to achieve stable and predictable process results (e.g., by reducing process variation) are of vital importance to business success.
Just as we need advanced network monitoring technology to continuously monitor our networks and to monitor the effectiveness of our security controls, we also need to continuously mature and improve our “process assets.” Without process maturity, closing the gap between siloed processes is hit or miss, reactionary cycles will rule the roost, and data breaches due to weak processes will continue. Without valuing and investing in process as an integral part of optimizing technology usage, the challenge of shifting from a point-in-time compliance mentality to a continuous compliance one will be great indeed.
We need to continuously mature and improve our process assets
Check back for the next installment in this series when I will take a look at how the “continuous” concept has become part of the standard of due care. If you have any compliance stories or organizational challenges you’d like to share, I’d like to hear about them. Email me at rkral@tenable.com.