Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Why Are Security Pros Blas About Compliance?
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Moderator
8/28/2014 | 2:28:06 PM
More Details Please
I'd love to know more about who responded to the studies. Focusing as I do on healthcare, many organizations don't have CSOs or CISOs, meaning there's no specific executive responsible for overseeing the overall security realm. That means they don't have a top-level exec partnerhing with chief counsel (inhouse or contract) -- and that means governance and compliance get shunted on to the CEO, COO, or other exec who has a gazillion other things going on. Since compliance involves a whole lot more than technology, it's important that ownership extends to someone who oversees security as a whole, not just tech.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/28/2014 | 3:19:25 PM
Regulators
I just commented about this in a previous article. As you say in the article, many corporations just strive to be compliant. This is setting the bar very low and definitely doesn't ensure data saftey which has been delineated by the recent breaches. 

What needs to happen is that higher compliance and security measures need to become standards. If this is set as the minimal requirement than organizations will follow shortly behind. Its unfortunate, but unless stringent repercussions are in place. In seems that frivolous corporate America will continue to cut corners.

**Above is a generalized statement. Does not apply to all organizations.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/29/2014 | 8:07:25 AM
Re: Regulators
There is a definitely a disconnect between being compliant enough to meet a low regulatory bar and being compliant to a regulation to improve an organization's'security profile. But @RyanSepe, do you think its an enforcement problem? In other words, will companies take better precautions if they know the penalties (outside of the cost of a breach) will be tougher?
Cybdiver
50%
50%
Cybdiver,
User Rank: Apprentice
8/29/2014 | 8:36:28 AM
Re: More Details Please
A perfect answer in my opinion.  The lack of technical understanding and support at the top levels of managment are usually the source of lack of compliance. 

Unfortuantly while they tout how much they want to be in compliance they forget the human factor is part of the securtiy too and fail to enforce the very rules of compliance required.  Getting a computer to cooperate is easy,  getting the board of directors and C level officers to follow rules is another trick.
aws0513
50%
50%
aws0513,
User Rank: Ninja
8/29/2014 | 8:39:42 AM
The culture of the organization.
In my IT security experiences, the level of attention to compliance by the security team was directly affected by the amount of management emphasis on the need for security and security compliance.

I am all about security compliance.  As a matter of fact, I tend to focus on not just compliance, but operationalization of compliance.  The establishment of policies and standards is first, followed closely by procedures and processes.  But it is the persistent utilization of those procedures and processes that really make security programs effective.

I also use compliance as a stick when I need to convince system owners and management that a certain control solution is necessary.  Often, it is the only stick I have.

The problem has commonly been that some organizational management still sees security as just overhead.  Security rarely contributes to the bottom line unless the organization business is security.  I have been in situations where the marketing team had more respect for the security aspects of the business than the corporate management.

The lax attitude by management directly affects the security team.  Even if a security team is ambitious about compliance, they quickly lose any motivation when running into a wall of management that falls asleep during discussions about security.  This demotivation is also augmented when management is slow to assist in obtaining resources to implement necessary controls to meet compliance.  It is the classic "why should I even try anymore" attitude that eventually defines the compliance culture of the security team and the entire organization.

It all comes down to the corporate culture established by the top management team.  If they consider security to be integral to their entire operations, then compliance will be much more evident in the security team plans and activities.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
8/29/2014 | 9:02:41 AM
Re: The culture of the organization.
You are right on the money. I remember when HIPAA first came out, and security and compliance experts were excited that they finally had a stick to wave. Well, they didn't -- because nothing happened when companies were not compliant with HIPAA. Now the government is finally taking action against organizations that aren't HIPAA-compliant, they do have something to back up their cautionary words; in the case of smaller organizations, which are equally culpable, a $100K fine can be make or break. But in the case of a huge multi-million dollar operation, that fine may be cheaper than actually being compliant. Unless the culture demands compliance and is committed to security, governance, and security -- and that has to come from the top.
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
8/29/2014 | 9:04:20 AM
Re: Regulators
Thanks for your comment. I agree, it's always tempting to cut corners and perhaps we do need more stringent standards. Technology that can help organisations meet those standards more easily has a part to play too though.
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
8/29/2014 | 9:05:31 AM
Re: More Details Please
Hi Alison, thanks for your comment. The sample was designed to be representative across industries, and a total of 57 out of the 500 identified as being in healthcare. You're quite right though, too often these issues are left to be dealt with by individuals with 100 other things on their plate. But even when there is a CISO the CEOs and COOs have to take some responsibility and ownership; as you say technology alone can't solve the problem so you do need commitment from the very top.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
8/29/2014 | 9:55:33 AM
Re: More Details Please
I'm not sure I agree that security pros are blase' about compliance. In many organizations, it's compliance, not security, that drives budget/funding for many security-related projects. CEOs understand that they must prove compliance in order to operate in their industries, so they sometimes are willing to part with budget for compliance in a way that they won't do for security alone. In those cases, compliance becomes the driver for a security project, because there is budget there.

I think your two examples represent the extremes of compliance. SOX requires security but offers almost no specifics on how to achieve it. PCI, on the other hand, requires that enterprises meet more than 100 specific requirements, and even mandates the use of specific technologies such as WAFs. Security professionals may feel ambivalent about SOX, primarily because there is not much direction for them to work with. PCI, conversely, means implementing specific controls before the auditor arrives.
Franois Amigorena
50%
50%
Franois Amigorena,
User Rank: Author
8/29/2014 | 11:11:12 AM
Re: The culture of the organization.
Thanks for your comment. I absolutely agree. Management must set an example and it's interesting to hear about your experience where that has far from been the case. I know that security teams can often have difficulty explaining the necessity of meeting certain security measures, and of course it's hard to get the message across when it's not something that affects the organisation's bottom line.

Really, management should be getting a big red warning sign that this should really matter to them, as top level executives at huge businesses are losing their jobs as a result of security related issues. 
Page 1 / 3   >   >>


Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...