Page 13 - index
P. 13
Heightened Visibility Changes the Security Perception
Why does it sometimes feel as if the state of IT security has gotten worse since compliance came
around? It’s not that it’s any worse; it’s more of a case where the gaps in IT security are being
exposed in alarming ways that now have the attention of everyone.
To understand it more clearly, let’s first wrap some historical context around why compliance
frameworks exist and then discuss a major contributing factor that continues to widen the gap
between our compliance and our security.
Legal and regulatory compliance frameworks usually originate from necessity. That necessity
usually surfaces as the result of an extraordinary event or trend whose catastrophic failure is rooted
in a “not my problem” mentality that won’t fix itself. (Whether we agree on the effects of regulation or
not is not the purpose of this discussion; let’s agree that this discussion is about the necessity of
security and not how to perfect it.)
IT security mandates were never meant to act as a blunt instrument of oppression; they were
designed to act as the subtle nudge to the industry to point out the obvious: the cost of inaction will
always outweigh the cost of action.
For years compliance-driven security initiatives have been shuffled to the bottom of the deck of
priorities while companies weathered the economic recession. When organizations were told that
they had to take “reasonable and appropriate measures” to secure their data, “reasonable and
appropriate” was interpreted as a battle-cry that was conveniently favorable to not doing much at all.
Herein lies the primary problem as to why compliant and secure are not equal.
Offensive Capabilities Prove to Be a Business Inhibitor
Shifting gears away from the historical view to a more strategic view, the widening gap that exists
between “being compliant” and “being secure” exists because most nations have been focused on
developing their offensive capabilities (e.g. infiltration, espionage).
It has been an all-hands-on-deck focus on supporting a digital arms race where attacks are
developed, deployed, and many times knowing that there’s almost always collateral damage as a
result.
The odd phenomenon about a compliance-driven or reactive strategy is that the trickle-down effect
that provides some military or economic advantage is often times wiped out by the collateral
damage inflicted on everyone. That’s the nature of a pure offense in this game.
It’s somewhat analogous to high scoring football games. In football, a hurry-up offense is a fast-
paced strategy where the team with the ball runs plays in rapid succession with the goal of
13 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
