How Security and Regulatory Compliance DifferBy Howard Cohen | Posted 2016-05-13 Email Print
The Myths and Truths of Building a World-Class Cyber Defense REGISTER >
ANALYSIS: Many executives continue to believe that achieving one automatically assures the other. Here's why this is not the case.
Regulatory legislation was never written specifically to address network or data security.
Guideline documentation for legislation, such as the Health Insurance Portability and Accountability Act, barely mentions security. Yet many executives, whether guided by their IT management or their own misperceptions, continue to believe that achieving one automatically assures the other. This is not the case.
Regulatory compliance audits are designed to capture the state of a given organization's operations at a given moment in time. Once the company has prepared for a regulatory audit and the audit is performed, that's it until the next cycle.
On the other hand, security requires a constant interaction between the management of a business and its assets. Constant scrutiny not only of the assets themselves but also of the measures put in place to protect them is an absolute requirement of an optimally secure environment.
Making your customers aware of this distinction can be critical to their continued survival and business success, while it also provides you with two separate opportunities where once there was only one.
Protect What's Most Important
In the context of company data assets, it is most important to put the highest-value assets first. This requires your customer to engage you for an objective evaluation of each asset on several key criteria:
Criticality: Neither compliance nor security matters much when you're not there anymore. Many companies do not consider or appreciate the criticality of certain data entities, processes and other assets that could cost them the company, if compromised.
Valuation: How much would it cost your customers if they lost particular data assets? One good reason to do this is that many companies spend far more than a particular asset is worth protecting that asset.
Confidentiality: What would be the loss if that data asset were exposed to others and was no longer proprietary to your customer?
Availability: Often data assets are exposed because there is a perception that they need to be readily available and often to too wide a circle of potential users. Often, the cost of securing certain data assets can be reduced simply by restricting access, thereby reducing the need for access security measures.
So it's far beyond simply having data compromised or corrupted. Simple exposure can result in the end of a customer's business. No company is going to worry about paying fines for lack of regulatory compliance when they're out of business.
What's the difference between regulatory compliance and security?
Relative security is the best we can ever hope to achieve—because as long as there's a key, any lock can be compromised by anyone who can duplicate or approximate that key. We can make it incredibly difficult, but we cannot make it impossible. Relative definitions of each would be as follows:
--Compliance: the adherence to requirements from an external source. This could refer to suggestions or guidelines but often carries specific penalties or other consequences. Once achieved, as signified in the passing of an official audit, compliance leads to complacency.
--Security: a protection program based on the custom abilities of the business and what matters most to the business and what allows it to continue functioning at the level of success and profitability to which the companies are accustomed. The return on security investments often comes in terms of reduced risk.
So "secure" must be seen as being as fluid and changing as the daily operation of your customers' business changes, but inextricably entwined with what is critical for the continued successful functioning of that business. For each asset they possess, we must establish the appropriate level of scrutiny and exercise that scrutiny on a full-time basis.
While "regulatory compliance" can easily be defined as properly answering the questions and fulfilling the requirements of a given published set of requirements as in an audit, security must be defined as having the sense that all assets are protected from compromise or theft to a level appropriate to the value of each asset. Regulatory compliance is black and white, while security always exists in varying shades of gray.
Howard M. Cohen is a 30-plus-year IT industry veteran who continues his commitment to the channel as a columnist and consultant.