The Security Delusions of Compliance

Michael Vizard

All too often, there is a tendency to measure security in terms of compliance. Unfortunately, the definition of compliance with any particular regulation usually comes down to meeting the bare minimum requirements. The end result is that while thousands of organizations can meet compliance requirements, very few of them are actually secure.

As we gear up for 2010, a lot of organizations that are laboring under a certain illusion of security today are about to discover how insecure they really are. This is because, as Sentrigo CTO Slavik Markovich points out, the bad guys are adopting automation tools at a faster rate than the good guys. Botnets are about to get more sophisticated, which means they will be able to take advantage of exploits faster than ever.

And just to make things even more challenging, Markovich says he expects to see cases where malicious crime organizations go to the trouble and expense of trying to plant moles within high-value targets to gain access to security codes. After all, if three months working as a janitor is what is required to gain access to million-dollar accounts, Markovich points out that there is no shortage of criminal accomplices willing to do a little manual labor.

None of this means that IT organizations should give up on security. But it does mean that they should focus more reducing the surface area of the data that can be attacked. That means only holding on to data that your organization needs, while getting rid of, for example, credit card data as soon as possible.

Only about 10 percent of security has anything to do with technology. The vast majority is related to policies and procedures. As is common everywhere, cyber-criminals are exploiting human frailties, or what they like to call human engineering. The challenge that IT organizations will face in 2010 is how to work around those human frailties to better secure their organizations.

Add Comment      Leave a comment on this blog post
Dec 22, 2009 2:10 AM Dwayne Melancon Dwayne Melancon  says:

Good summary, Mike.  The tricky thing about "compliance" is it often measures how well you document your polices and follow them - it doesn't necessarily test to see how good your policies actually are, nor how well you follow them beyond the pretty reports you show the auditors.  In other words, it's kind of like getting a "Perfect Attendance" award at school - you were there, but that doesn't mean you didn't sit in the back of the class and goof off all year.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.