Blaming need for increase security on need to comply w. regulations is flawed philosophy.
So said one of the comments I received in an evaluation from a recent presentation I gave on ROI/ROSI in Chicago two weeks ago. I always lead off my presentations about metrics with a brief shpiel on why they are important – everyone has a different opinion on what "good" security is; if we are successful, nothing happens; however, one incident doesn’t necessarily equal failure. As part of that justification, I also pick on auditors/regulators by suggesting that we are all subservient to the auditor’s "pen" and whatever comments they make.
One person there happened to be a regulator and said "shouldn’t we all just want to do the right thing?" This has been chafing on me ever since, and I suspect the same person also wrote the comment at top. I admit that I sort of bumbled through my comments about this in Chicago, so I will take this opportunity to clarify my position on regulatory compliance and whether it is the right thing.
Security is about preventing losses through compromise of information systems. We can define losses in many different ways. I like to think about the following three items: 1) lost information asset value; 2) IT productivity costs; and 3) regulatory and legal fines/fees/costs. Of course, number one is a bit of a quagmire and I’ve blogged before about ways to quantify IA value. Number two is where we often see our most obvious losses, particularly in the case of fast spreading worms and viruses with little payload. And number three involves things like intellectual property protection (e.g. legal costs for protecting trade secrets stolen from a computer) and fines for disclosure of private information.
But number three can also include costs simply for non-compliance – since you don’t change passwords for some set of accounts, you should or you are non-compliant. In this case, the loss comes not from a system compromise, but from a compliance exercise, and compliance becomes the latest THREAT (that which precipitates the potential loss). Here is where I have my concern with compliance and whatever the right thing is – I know of nobody that can demonstrate a correlation (presumably inverse) between any security control and any system-related incident (heck, I may be the only one out there even trying )
I don’t know what the universal "right" things to do are, and neither do you. It is much more dangerous to be convinced that you do (as this regulator apparently does). Now, make no mistake – I am perfectly willing to offer advice and some security practices are pretty obvious. And I’m going to capitalize my next point to make sure I am heard: COMPLIANCE CAN BE USEFUL; IT ISN’T ALWAYS A BAD THING. It’s just that when you get into the nuances of a security program, it is extremely difficult to determine a clear path. I opt for system-related activity, since that is where my threats are supposed to be.
So if this perspective boils down to the comment I started with, then consider me flawed. And I guess that makes the regulator perfect. Yikes.