Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


12:58 PM

Seven Mistakes That Make Compliance Efforts Fail

The most common mistakes that can lead to flagged audits

Complying with security mandates is rarely easy. But most organizations make it even harder than necessary by failing to learn from the mistakes of others when developing their compliance programs.

For as much time and effort is spent at most enterprise and government organizations in complying with regulatory and standards body mandates, an awful lot of security firms can't seem to get compliance right. A study earlier this year showed that half of organizations have failed an audit, and 75 percent were not sure they'd pass their audits in the future.

According to most security and compliance experts, so many organizations fail because they're making the same mistakes time and time again. The following are some of the most frequent blunders made:

1. Managers Don't Think Like Auditors
Over the years, IT auditing veteran Glenn Gibson has seen far too many mid- to upper-level IT executives botch compliance efforts because they don't truly understand the regulations or standards they're availing themselves to. He believes that many organizations can't satisfy auditors' demands because they don't have managers in place that can see their objectives with an auditor's eye.

He says that some of the most successful organizations in both compliance and security have policies that promote auditors from within.

"I've seen some companies where when you're hired as an auditor, you're only going to be one for two or three years and after that you're going to be moved into management," says Gibson, principal of security firm Zander Edward. "I think that is a very good way to do business if you're going to compensate those people well enough to stay, so they don't take that management and audit skill set and leave."

2. Resources Don't Match The Requirements
In government, the dreaded "unfunded mandate" is one of the biggest reasons why agencies can't comply with rules both in and out of IT. The fact is that compliance efforts take manpower and technology to work. And both require resources.

"The money has to be there," says Gibson.

It isn't just a question of budgeting, but also of allocating the right staff to the efforts.

"Companies assign security duties to those least likely to fulfill them well: junior employees without security training or experience," says Bill Horne, owner of security consulting firm William Warren Consulting, "Usually it is part of the 'when you have time' lists given to apprentice system administrators who are most likely to bypass security restrictions when a senior employee asks them for a favor."

3. Organizations Ignore Human Nature
"There's a huge human nature element to compliance mandates," says Jeff Nigriny, CEO of CertiPath, an identity and credential certification organization specializing in government compliance. He believes that many organizations fail to comply when users aren't accounted for. End users must be properly trained, and they need to be apprised of the consequences of not following compliance policies.

The stick used to enforce compliance from end users doesn't necessarily always have to be as extreme as termination, either. Sometimes a humorous dose of embarrassment can work, too. When Nigriny was the CSO at an aerospace defense contractor, he had a bit of instructive fun with users who didn't follow company policy to lock unattended PCs. When he walked company halls and saw unlocked computers, he'd sit down and write emails on the user's behalf.

"I tried to make them funny. We had a manager that had a large team, and I told his entire team that he wasn't able to use all his vacation time for the year and the first people that got to HR to ask for it could use his remaining vacation time as paid time off," he says. "There was a huge line at HR and he figured out what happened shortly thereafter."

NEXT: Four more blunders.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
PUBLISHED: 2020-04-02
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
PUBLISHED: 2020-04-02
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
PUBLISHED: 2020-04-02
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
PUBLISHED: 2020-04-02
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.