The Security Delusions of Compliance

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

All too often, there is a tendency to measure security in terms of compliance. Unfortunately, the definition of compliance with any particular regulation usually comes down to meeting the bare minimum requirements. The end result is that while thousands of organizations can meet compliance requirements, very few of them are actually secure.

As we gear up for 2010, a lot of organizations that are laboring under a certain illusion of security today are about to discover how insecure they really are. This is because, as Sentrigo CTO Slavik Markovich points out, the bad guys are adopting automation tools at a faster rate than the good guys. Botnets are about to get more sophisticated, which means they will be able to take advantage of exploits faster than ever.

And just to make things even more challenging, Markovich says he expects to see cases where malicious crime organizations go to the trouble and expense of trying to plant moles within high-value targets to gain access to security codes. After all, if three months working as a janitor is what is required to gain access to million-dollar accounts, Markovich points out that there is no shortage of criminal accomplices willing to do a little manual labor.

None of this means that IT organizations should give up on security. But it does mean that they should focus more reducing the surface area of the data that can be attacked. That means only holding on to data that your organization needs, while getting rid of, for example, credit card data as soon as possible.

Only about 10 percent of security has anything to do with technology. The vast majority is related to policies and procedures. As is common everywhere, cyber-criminals are exploiting human frailties, or what they like to call human engineering. The challenge that IT organizations will face in 2010 is how to work around those human frailties to better secure their organizations.