I see so much confusion over compliance. Information risk management people sometimes say that compliance is blocking them and that it inhibits risk management. Compliance is not the sum total of governance. Erik Heidt said it best - "Compliance is Risk Management – Just NOT YOUR Risk Management".
Complaining about compliance is a classic Chesterton's Fence problem (1). Before tearing down compliance first ask - why does it exist in the first place? Erik Heidt:
- "SOX is the result of anxiety over the risks of financial reporting errors and a response to a number of major corporate accounting scandals.
- PCI is the result of the payment card industry’s desire to ensure minimum standards for the safeguarding of payment card information and transactions.
- The HIPAA Privacy Rule is a direct result of concerns regarding the use (or misuse) of individual healthcare records by the general public."
The regs can be annoying, but they are a given. The question is - how to deal with them? This is where I think most infosec teams have got the wrong end of the stick.
When SOX, HIPAA and PCI came along, they were greeted at first with joy by many infosec teams. Why? Because after years of being shunted off in the corner, people were finally listening (forced to anyway) to infosec - we had a hammer!
So what did infosec teams do? Like any banana republic, they centralized all compliance activities, ran "Compliance programs" and tried to play their hand for all it was worth. This was not necessarily a bad idea at the time, especially given the history leading up to it, but its disingenuous to go back after the fact and complain about the burdens of compliance.
I think there is a better way forward from here and that is - outsource compliance. That's right - decentralize.
The late, great Robert Garigue created a great analogy that illustrates this. He said security is like dentistry. You go to the dentist twice a year for reviews and advanced questions, but you don't go to the dentist to brush your teeth. The security team shoudl function like the dentist regular check ups and expert issues.
To give a concrete example, if you run a network in 2014, you should just assume responsibility to run firewalls. Its absurd that firewalls are centralized in security and that people are literally calling every day to open and close ports. Security is literally brushing teeth.
So the key lesson here is - security should not look to consolidate power under the aegis of compliance. Instead the majority of tasks in compliance regimes should be aggressively outsourced to the domain owner. Who is in a better position to understand the network, the databases, the apps? The domain owner. There is another advantage, security people areused to paying $2 for something $1, that's why firewalls are a multi billion dollar industry. If firewalls were engineered by network teams, they would be commodized. Want proof? Look at every IT segment outside of security. There you pay 10 cents on the dollar for 1995 technology not two bucks in 2014 for a dollar's worht of 1995 tech.
I know how we got here, I was there, I remember getting fobbed off when trying to make the case for security. When compliance came along, security teams loved it, instead of winning one out of ten times they won ten out of ten. What a feeling! So while centralizing compliance made sense at that moment in time, its long outlived it usefulness as a central organizing concept for security teams.
Here's the thing that is different between now and SOX days, people get security matters now. They may not like all the prescriptions, we're not gonna win ten out of ten, but we are not gonna lose nine out of ten either. Put down the compliance crutch and get back to real security. Let someone else worry about raising the floor (what compliance is actually there for) and let security focus on raising the ceiling.
Security does not need to be a banana republic with a Mugabe style dictator controlling all the levers, decentralize it and assign compliance to their logical owners. Of course, this won't "just work" you need some accountability too, who is responsible for what. But guess what? That is built into the regs too.
Aggressively, outsource compliance. If you want to retain a reporting function so you still have a hammer, what Garigue called messengers to the King, fine. But outsource the rest and apply the team to training up new skills, standing up new capabilities.
This is using compliance to your advantage, because what are the tasks you are outsourcing? They are right there in the regs. Security teams should focus on actual security. Whre possible finding things that overlap with compliance requirements and act as a partner to deliver them. Doing this frees up security resources to focus on actual security stratgy, tactics to improve desing, development and operations.
To quote another French philosopher - trust your teammates. Always. Let people brush their own teeth, let the network team buy and field the firewalls, if they don't do it they are going to wind up back in your office anyway.
**
1. "In the matter of reforming things, as distinct from deforming them, there is one plain and simple principle; a principle which will probably be called a paradox. There exists in such a case a certain institution or law; let us say, for the sake of simplicity, a fence or gate erected across a road. The more modern type of reformer goes gaily up to it and says, “I don’t see the use of this; let us clear it away.” To which the more intelligent type of reformer will do well to answer: “If you don’t see the use of it, I certainly won’t let you clear it away. Go away and think. Then, when you can come back and tell me that you do see the use of it, I may allow you to destroy it.”
This paradox rests on the most elementary common sense. The gate or fence did not grow there. It was not set up by somnambulists who built it in their sleep. It is highly improbable that it was put there by escaped lunatics who were for some reason loose in the street. Some person had some reason for thinking it would be a good thing for somebody. And until we know what the reason was, we really cannot judge whether the reason was reasonable. It is extremely probable that we have overlooked some whole aspect of the question, if something set up by human beings like ourselves seems to be entirely meaningless and mysterious. There are reformers who get over this difficulty by assuming that all their fathers were fools; but if that be so, we can only say that folly appears to be a hereditary disease. But the truth is that nobody has any business to destroy a social institution until he has really seen it as an historical institution. If he knows how it arose, and what purposes it was supposed to serve, he may really be able to say that they were bad purposes, or that they have since become bad purposes, or that they are purposes which are no longer served. But if he simply stares at the thing as a senseless monstrosity that has somehow sprung up in his path, it is he and not the traditionalist who is suffering from an illusion."
— G.K. Chesterton, The Thing: Why I Am A Catholic
Interesting post. I like the dental care analogy. However, your point about commoditization is way off the mark. Toothbrushes do a poor job of preventing plaque build-up which causes periodontal disease. A good dentist will recommend Sonicare. The motor (reusable part is 50x the cost of a toothbrush and the brush part is 5x the cost of a toothbrush.
By the same token, commodity firewalls which only use IP, port, and protocol for policies are pretty much useless against moderately technical adversaries and controlling hundreds (thousands?) of off-the-shelf applications that port hop and/or share ports.
My point is that the security team needs to specify firewall requirements as well as audit the the results.
Posted by: riskpundit | March 11, 2014 at 12:41 PM