Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


02:07 AM
Connect Directly
E-Mail vvv

Why Are Security Pros Blasé About Compliance?

A survey of 500 IT and security decision makers in the UK and US shows that a majority are in the dark about regulatory requirements for their business organization.

Regulatory compliance is often seen as an oppressive demand on an organization, something that must be adhered to because, well, it just has to be, rather than because it benefits the business.

For some IT and security professionals, it's tempting to view the importance of complying with regulatory rules on how to secure data as secondary to their own security measures. You know how to secure your organization's data better than a government agency, right?

The truth is that many regulation sets have very specific requirements around how data is stored and secured, making them very much a consideration for IT. In the US, the Sarbanes-Oxley Act (SOX) and Payment Card Industry Data Security Standards (PCI DSS) are a case in point.

SOX compliant? Not sure…
A recent IS Decisions survey of 500 IT decision makers in the UK and US sheds some light on the fact that a majority of IT professionals are in the dark about whether there even are regulatory requirements for their organization. A full 57% of respondents in the US "don't know" whether they are compliant with SOX or not.

SOX, as you probably know, applies to public companies and as such is designed to ensure the accuracy of financial data and combat fraudulent activity. It is quite specific about addressing one of the greatest security challenges, particularly for large organizations: insider threats.

Most US organizations are not publicly listed, so perhaps IT teams can be excused for not being sure about their SOX compliance. But firstly, SOX must be considered -- this is federal law. Though it doesn't apply if your business is not publicly listed, some awareness of its implications can't hurt.

Moreover, the sheer number of internal security breaches occurring in US businesses every day -- our research told us the number is more than 2,500 -- indicates that businesses of every size and financial status could benefit from being aware of these regulations and how they can protect sensitive data.

PCI: widely applicable, broadly ignored
On the other hand, PCI DSS applies to a far greater majority of businesses. The international regulatory standard around the storing, processing, and protection of credit card information applies to all businesses that take card payments, which is most businesses. Yet two-thirds of IT professionals are not sure if they are compliant or not, according to our research.

Despite the fact that the breach-stricken Target appears to have been approved as PCI compliant by the security firm Trustwave, a lawsuit filed against the two organizations claimed that the retailer was not entirely adherent to regulations. Though Target passed compliance testing in September 2012, according to the complaint, the auditors did notice some warning signs at the time, including a lack of network segmentation between card data and the rest of the corporate network. This suggests that, even though Target passed muster, compliance may easily have dropped off in the time before the breach occurred.

Though the lawsuit has now been dropped, the revelations and the fact that the huge breach of cardholder data occurred indicates that PCI compliance is not just a regulatory burden. It's not even a business "must." It's a minimum requirement. Further, it is not a requirement that must be met when the auditors are around; it must be an always-adhered-to standard. Yet two-thirds of IT professionals told us they don't even know if they're meeting those requirements.

Technology is just part of the solution
Like many of the aspects of tackling internal security, achieving compliance with regulations like SOX and PCI can seem insurmountable. Internal security and the related issue of insider threats has to be approached from a cultural perspective, with fundamental changes made to user education and attitudes.

We have seen that the results of failing to meet regulatory standards in examples like the Target case, and we know that the internal security breaches that these regulations are designed to combat are occurring on an astoundingly regular basis. What will it take for security teams to show less indifference toward compliance? Let's chat about that in the comments.

François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues. IS Decisions software makes it easy to protect against unauthorized access to networks and the sensitive files within. Its customers include the FBI, the US ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
User Rank: Ninja
9/9/2014 | 10:48:07 AM
Re: The culture of the organization.
Those are some of the big regulatory players for sure.

If there were anything to add, specifically in the US, it would be state laws or regulations.
More and more I am running into situations where states have established statutory requirements for the protection and handling of specific categories of data that may exceed or augments some of the regulatory directives you listed.

So many fingers in the regulatory security jar. 

Not complaining...  any regulatory requirement from any angle helps in the effort to gain resources and support for security controls that are necessary.  But the complexity of bringing all of the requirements together and addressed accordingly can be daunting at times.
User Rank: Ninja
9/8/2014 | 4:30:06 PM
Re: The culture of the organization.
I think enforcement is as follows:

HIPAA - Office of Civil Rights, Department of Health and Human Services
HITECH - Office of Civil Rights, Department of Health and Human Services
FERPA - Family Policy Compliance Office, Department of Education
FOIA  - Federal Court, Department of Justice (states have similar regulations)
Dodd-Frank - Securities and Exchange Commission
FINRA - FINRA (check a ruling by the Court of Appeals for the Second Circuit)
FRCP - Federal Court, Department of Justice
MiFID - European Union Countries
User Rank: Apprentice
9/8/2014 | 4:00:04 PM
Re: The culture of the organization.
The entities involved in the investigations and litigations are varied, but the top three were the Department of Justice (DOJ), the Securities and Exchange Commission (SEC), and the Environmental Protection Agency (EPA).

Healthcare, technology/communications, and energy companies were the prime target of the DOJ. Surprisingly, energy companies were two times more likely than financial services to be the primary target of the SEC. Energy companies were also the target of the EPA, with manufacturing also having been a heavy target.

Rounding out the top ten list of agencies targeting businesses in regulatory investigations was the State Attorney General, Occupational Safety and Health Administration (OSHA), Financial Industry Regulatory Authority (FINRA), the Internal Revenue Service (IRS), the US Attorney's Office, the Food and Drug Administration (FDA), and the State District or County Attorney. 

I have a whole post about the issue on our blog, with links to the surveys I mentioned, and go into more, but I not trying to be spammy. First half of username dot com slash blog
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/8/2014 | 3:31:25 PM
Re: The culture of the organization.
Who enforces there regulations @gwavajeff and do they have any teeth?
User Rank: Apprentice
9/8/2014 | 1:49:07 PM
Re: The culture of the organization.
I know you were focused on a couple specific compliance regs. I wanted to point out that there are a number of other compliance regulations of which many organizations are not aware. Most notably Federal Rules of Civil Procedure (FRCP).  The FRCP requires companies to archive their electronic communications, which most assume is email, but has now expanded to mobile device messages (SMS/MMS), instant messaging, as well as employee's social media messages. 

Regulatory and investigation litigations have more than doubled in the last year. According to ESG almost half of businesses surveyed had an eDiscovery request in the last 12-months, and Gartner expects that to be around 75% by the end of the year. 

The Norton Rose Fulbright Annual Litigation Trends Survey found that regulatory litigations and investigations are the largest increase on concern for respondends in the last year, and regulatory litigation over the last year has more than doubled. 

Here are a few more compliance regulations for those that are interested:

Financial Industries Regulations
  • FINRA, SEC, MiFID and FSA government rules
  • Dodd-Frank Act (which requires that you produce communications within 72 hours of an auditor request)

Governmental Entities Regulations
  • The Freedom of Information Act, "Sunshine Laws" (vary from state to state)

Education Institution Regulations
  • Family Education Rights and Privacy Act (FERPA)

Healthcare Facility Regulations

User Rank: Ninja
8/29/2014 | 3:56:38 PM
Re: More Details Please
Years ago, the hot topic was to align IT objectives to the goals of an organization. That remains true today, but in addition, security must also align with the goals of the organization. This is more difficult a task because most effects of security are so intangible. In reality, security aligns with IT goals, which in turn align with organizational goals. It really boils down to communicationg security objectives not just in way fit that is for executive consumption, but also to show how security itself aligns and supports organizational goals. To be fair, this is not a one sided task because in order to succeed, executive management must be receptive to the message. Again, in today's connected sociery, with the almost daily news of breaches, executives must listen.
Robert McDougal
Robert McDougal,
User Rank: Ninja
8/29/2014 | 2:52:17 PM
Re: More Details Please
In my experience it boils down to money.  We have spent all of this money to become compliant, why would we want to spend more on a line item that does not add to the bottom line.  Executives must be educated to the value of security and not just the necissity of it.
User Rank: Ninja
8/29/2014 | 2:42:35 PM
Re: More Details Please
@GonzSTL, I have brought this fact to the surface countless times and agree with you whole heartedly. This is why the need for a CISO/CSO is so important. They need to be the drivers of forcing policy, improving standards, and things of that nature to the VP's and Execs. 
Ed Telders
Ed Telders,
User Rank: Apprentice
8/29/2014 | 1:14:38 PM
Re: The culture of the organization.
Actually PCI DSS is a standard and not a regulation at all.  In some ways though, it has bigger impacts.  This standard is a requirement because of contractual agreements your organization has agreed to for card processing.  There are a few jurisdictions that have mandated PCI compliance to conduct business but they are only a few.  Compliance with PCI is a business and contractual issue.  They have the impact of fines, sanctions, and public disclosure of PCI compliance status. 

All good, still needs to be done, but let's be clear this is not a regulation. 
User Rank: Ninja
8/29/2014 | 12:42:24 PM
Re: More Details Please
I agree, Tim; security pros are not necessarily blase' about compliance. in fact, I'm sure that the vast majority of them take compliance and security very seriously. In my opinion, the biggest challenge they face can be summed up in this scenario:

Executive: Are all the boxes checked?

Security: Yes

Executive: Then we are done.

Security: But there is so much more that we should do to enhance security!

Executive: We are compliant, and that's all we are required to do. We have other priorities.

How many of you have experienced this, or something similar? I know I have, and in more than one instance. The really sad thing about all this whole compliance/security thing is that if an organization cultivates a culture that includes secure practices in all aspects of its business, they will be compliant. When I examine the requirements of standards like PCI-DSS and the security and privacy sections of HIPAA, I cannot help but note that these are simply known security practices - none of them are novel ideas! Furthermore, if a CEO or CIO or any other C-level person does not promote this type of culture, then I submit that that executive does not have the best security interests of the organization at heart, and by extention, place their organizations in jeopardy. I admit that most C level executives are not security or even tech savvy, but in today's connected environment, they must wake up and smell the coffee.
Page 1 / 3   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.