I was talking with the identity management group that Dell acquired with Quest and getting a kick out of the fact that much of their success was coming from folks who had tried and failed to deploy another vendor’s security solution. I won’t share that company’s name, but it kind of sounded line "snorkel," which is convenient because it suggests why many who use that company’s solutions might feel like they are under water.
But the more interesting part of the conversation was why technologies like this are being deployed and the answer to me is brain-dead stupid, but understandable.
Let me explain.
The problem with compliance is that it is like working for a C grade in school or, better, going to school in a pass/fail program. It focuses the company, or person, on the minimums necessary to get through the effort, but leaves the company/student less capable of competing in the outside world than would be the case had they focused on exceeding expectations.
With security, the goal is generally to be more secure than the next guy, so the attacker picks him instead of you. This is because it is impossible to be fully secure, but becoming more secure than the next, most likely target is doable.
But if you are focusing on just being compliant, then you are at best a C-class player and the other likely target, unless it does the same, will be the more secure and your company the more likely hit.
This is the problem with a compliance focus: It takes your eye off the goal (securing the business) and puts it on something that is artificial, but more pressing (compliance). So you are led to believe that you have done a security job when you really haven’t and the money that was spent, if attacked, may turn out largely to have been wasted. Or at least appear to have been in the face of a successful incident.
Security should never be just about compliance; that is a secondary consideration. The focus has to be on protecting the targeted assets and then once that is achieved, considerations on how to also assure it complies with internal policies and external rules should be applied. This is to assure the first priority in building anything is tied back to the primary goal.
Not doing that is likely why passwords have survived so long even though we branded them as unacceptably unsecure way back in the 1980s, and rather than fixing them, we made them hard to remember so folks wrote them down more, often, arguably, making them even less secure.
This takes me back to the discussion with the Dell security folks because they agreed that perimeter security, which is often used for compliance, belongs in a world of BYOD, rogue access points, VPNs, and, of course, executives and employees (often security folks) who think that security rules apply to others.
It was interesting that while I was thinking of this, and flying back from the Dell event, and after I was told to turn off my electronic devices, I was watching the steward play “Bubble Breaker” on his phone as we landed. When asked, he said something like, “This is OK, I’m in airplane mode.” (This was even after his peer has specifically said “off means off, not airplane mode.”) So, apparently, folks who enforce rules but believe they don’t apply to them are pretty much universal.
This really got back to the conversation of how do you really secure a site today and it really is about assuring nothing enters an area that is believed to be compromised, protecting systems and data at the most granular level, and assuring attacks are communicated and mitigated at all points. Where this last breaks most often today is when an electronic attack isn’t communicated to those in charge of physical security or visa versa. Often, one can quickly lead to the other and were both sides prepared, fewer attacks would be successful.
By the way, I should point out that the Quest merger into Dell apparently is going very well and once again showcasing that Dell’s acquisition process remains the gold standard. But the real “ah hah!” moment was realizing that compliance actually works against being secure now because it too often overshadows the true goal.
Ever since the DoD said we are in for a cyber attack of 9/11 scale, we should be rethinking our security goals and making sure compliance alone isn’t driving them. Survival is the real goal and if your firm is shut down, saying it was compliant won’t provide near as much cover.
Something to think about this weekend.