There’s a growing apprehension within government that companies that own and operate the nation’s critical infrastructures aren’t doing enough to ensure that appropriate cyber-security controls are in place to protect the key resources society depends on. Consequently when Congress perceives a gap in leadership, policy or action, the result is often new legislation. The current interest at the federal level has resulted in the introduction of almost two dozen pieces of cyber-security legislation since January.
These proposals address everything from mandatory standards and data breach obligations to incident management and new compliance regimes.
As I study these pieces of legislation, the one thing that concerns me is the potential negative implications and unintended consequences of creating more security compliance requirements. Regulation and the consequent compliance requirements could boost costs and misallocate resources — without necessarily increasing security due to placing too much emphasis on the wrong things. It is therefore critical that any legislation avoids diverting resources from accomplishing real security by driving it further down the chief security officer’s (CSO’s) stack of priorities.
Most people will tell you that blind compliance to standards doesn’t equal good security, and there are many examples to back that up. Think of all the money, human capital and angst that have been spent complying with the Federal Information Security Management Act (FISMA) since it became law in 2002. According to Federal CIO Vivek Kundra, the paperwork required for FISMA compliance costs around $1,400 per page (no, that’s not a misprint). I’m sure that makes many vendors and consultants happy, but most CSOs could probably find uses for those dollars that would result in more meaningful improvements to overall security.
“The challenge in the electricity industry today is an excessive emphasis on compliance rather than holistic security,” said Ernie Hayden, managing principal for Verizon’s global energy and utilities security. “As a result, the primary focus of many senior executives is on avoiding compliance violations and fines, rather than taking an enterprise, protect the systems corporate focus.”
The debate over compliance versus security has been under increasing examination, and I recently read a line that made me pause: “Compliance rarely leads to good security, but good security almost always leads to compliance.” This is an observation that I think most security professionals would agree with. While compliance is a necessary component (some would say a necessary evil) in any high-value endeavor like security, it’s never enough to just say, “I’m secure.” That is, you must follow it up with a demonstration that you are secure. That’s compliance.
One of my colleagues breaks it down more simply: “Security is the theorem, compliance is the proof.” While there is certainly a place for regulation, especially when talking about the nation’s critical infrastructures, compliance is just the foundation of an overall security program.
“Compliance is important because it builds trust internally and externally,” said Tom Bowe, executive director of the Reliability Integration Division at PJM Interconnection. “However, as important as trust is in any environment, no entity can be so complacent to believe that compliance equals security. The evolution of threats and technologies is far more dynamic than that of compliance standards, so organizations need to be just as dynamic in evolving their security programs.”
That is as true a statement as ever, because threats and vulnerabilities are constantly changing. Security-related risk, like death and taxes, simply can’t be avoided. Compliance on the other hand is intrinsically binary, and being compliant means simply that at some fixed point in time, you either met all compliance requirements or you didn’t — there’s very little tolerance for being noncompliant.
Achieving a high level of security maturity and being compliant within a regulatory environment requires one fundamental component — a strategic vision for security. A strategic plan for achieving both your compliance mission and the overall corporate security goals should be complementary. But that’s a topic for a future column.
Mark Weatherford is former chief information security officer for California. Weatherford now serves as vice president and chief security officer for the North American Electric Reliability Corp., an organization of U.S. electrical grid operators.