I don’t know if Panera Bread was SOX/PCI compliant, but I doubt it really matters. Like many other security professionals, I don’t see being compliant as a magical shield against attacks. But I also didn’t appreciate all the mocking that took place once Panera was breached. It’s true that being compliant doesn’t guarantee you will never be breached but did anyone ever claim that it does?
Let’s dissect compliance. Compliance doesn’t automatically mean security protection. Rather, it offers a service to ensure that most security standards have been met, which have been imposed by various regulatory organizations. Compliance mandates have different reasons or rationales and can serve many purposes. There’s one purpose doesn’t concern me personally but amuses me a great deal is the fact that it is used to shield CISOs and IT managers from losing their jobs. Believe it or not, for an executive, the biggest benefit of a compliance mandate is not fighting security breach but to secure their jobs in the company. It’s a safety net so to speak. Many might argue about my opinion, but I do firmly believe that compliance mandates save hides.
What does concern me though is the fact that I’m in the security industry and I still see a lack of awareness and adoption of security products and for that reason alone, compliance has been a huge changing force for good.
Whether you agree with me or not, compliance has made people more aware of more stricter security needs and gave them a reason to explain to their management on why they need a budget allocated for security specifically, which is something whose ROI cannot be explained in a single bullet point. That in my book is progress.
I hear a lot of complaints about how compliance mandates demand all the wrong things. Well, if we knew what the right things were, wouldn’t we do doing that already? Do you know of any one organization that is carrying out all the right things to create a defense against security breaches? I don’t.
Another recurring complaint is that the CISO’s don’t get security and that they are simply just checking the proverbial boxes. It’s also being said that they are implementing security solutions for all the wrong reasons. If you happen to feel the same way, then I suggest you look at information security less as a religion (where prayer needs intention and belief) and more like laying bricks. When you’re laying bricks, your intention doesn’t matter. Your belief doesn’t matter either. The wall will go up while you’re laying those bricks. It can be a beautiful wall, an ugly wall, a helpful wall or an obstructive wall – but there will be a wall for sure. In the same way, the reason for improving the security of an organization is not as important as the work that is being done. And any work is better than no work at all.
I remember working in information security in the 1990’s. It was frustrating to say the least. Most CIOs really didn’t understand it; others saw it as a waste of their budget and some would say things such as “until we are actually breached, there is no reason for me spend energy or money on securing the system” Sounds funny now but yes, I have heard that many times. What shifted everybody’s mindset wasn’t vendors releasing amazing security products, but compliance mandates pushing them to take more action. And companies continue to be vulnerable to unknown cyber attacks or predatory malware, as a security professional, it is my hope that more awareness is being raised about security and people are opening their minds to learn and adhere to compliance mandates.
Compliance mandates aren’t perfect, and yes, they can sometimes seem quite redundant or even irrelevant, but they are so much better than the alternative, don’t you think? So, let us tone it down with the mocking or the skepticism and give it a fighting chance. After all, what have you got to lose?
About the author – Aviram Jenik is the co-founder and CEO of Beyond Security, a leading developer of automated security testing tools for networks and applications. He is also the co-founder of SecuriTeam.com, one of the largest security portals and vulnerability databases.
Aviram holds a computer science degree from the Israeli Technion Institute of Technology, and an MBA from Tel Aviv University.
Aviram’s technical background includes a degree in cryptography, development of military grade network attack and defense processes, contribution to several open-source security projects and active research in the fields of vulnerability assessment, full disclosure, and protocol fuzzing. He frequently lectures and writes about advanced aspects of the security field and is the co-author of many information security related books.
Aviram splits in time between the US head office in San Jose, CA and the global headquarters in Israel.