This is a question that security professionals the world over debate endlessly.
Does compliance actually mean better security?
The simple answer is that in and of itself, no, compliance does not improve security. Compliance and security are two different things.
In my opinion, compliance is primarily about reporting, arse covering and finger pointing.
Security on the other hand, is about truly protecting information and requires changes to your corporate attitude, systems and people.
Compliance is a box ticking exercise designed to show that an organisation has a pre-defined minimum level of security. The key points here are “show” and “minimum”.
When we talk about compliance you don’t get extra points for having better than the minimum required level of security. You don’t get to include other aspects of security, which may have been implemented by your organisation but which aren’t required under your compliance regime.
And where your organisation meets your compliance requirements, it doesn’t mean that the security in use has been implemented effectively.
Real security is achieved by marrying 5 key areas using a risk-based approach:
1. Corporate Culture
Adopt a “Culture of Security” within your organisation. This really means a top-down approach, getting business owners and senior managers to not only understand why security is important, but have them adopt it as a philosophy which can then passed down through the various levels of the business.
Only where an organisation emphasises security from within its very culture will staff, employees, temps and contractors understand and accept their own part in securing corporate or personal data and take it seriously enough to care.
2. Policies and Procedures
If having a “Culture of Security” is vital to improving security within your business, then suitable guiding principles, policies, standards and guidelines (collectively known as Information Security Policies) is how that approach should be implemented.
Information security policies are often cumbersome, “legalistic” documents which are issued to staff perhaps once at the start of their employment.
However, this approach doesn’t work. Most staff don’t read them thoroughly or merely flick through them. And the overly legal language often used is unlikely to encourage readership, let alone understanding.
Information security policies should be written in a simple to understand manner and kept as brief as possible for the organisation in question. Only this way will they ever actually be read, let alone understood and acted upon!
They should also be regularly reviewed and reissued to staff to ensure any amendments are understood and adopted.
3. Training and Awareness
Which brings us on to training and awareness.
Staff are usually the weakest link when it comes to security. They are also your best defence if they understand their roles properly.
Staff implement technology. They design and build systems, create processes and procedures and handle information on a daily basis.
With the proper training and an understanding of security they can do all of these tasks far more safely.
We educate people about Health and Safety, we train people on First Aid and Emergency Procedures, but how many organisations actually train their staff how to protect information, why it’s important, what to do following an incident and where to go for help?
This step alone can massively reduce an organisation’s information security risks and it is probably one of the cheapest and most cost effective solutions any business could implement – offering much better value for money than many technology based solutions.
4. The Right Technical Solutions
Which brings me on to technology.
Technology is amazing. It can help us achieve so much in terms of security and there are new solutions to problems we never knew we had coming out all the time.
But knowing what to implement and doing so effectively is essential.
As we have already seen, technology is not the panacea many think it is when it comes to security. Sure it can do an awful lot to protect things but the simple fact is that if it is the wrong solution for your business or it is implemented badly then it is not going to provide the protection you were looking for.
So getting the right advice, speaking to professionals and not being “sold to” is key to ensuring the solutions you employ are right for your business.
Then you need to make sure that the technical you’re using to protect your data is implemented properly. It’s no use having loads of amazing systems if they all have the default usernames and passwords or have been installed on platforms which haven’t been properly security hardened.
All you’re doing then is moving the problem around.
5. Test Your Security
Let’s face it, you might have the best security in the world or you might have the worst – but unless you actually test it you will NEVER know.
Penetration testing is one way. This is where professional “hackers” are paid to attempt to break in to your systems. It is a great way of testing your infrastructure and defences. However, it is only ever a point-in-time test and new vulnerabilities or changes to your systems and architecture can negate the results instantly.
Vulnerability assessments provide an on-going check of your infrastructure and can instantly highlight any issues or areas of concern. They can also often be used to model changes to your network before you apply them, to see how it affects your overall security.
In addition to technical security testing, other approaches can be used to target the people and operational aspects of a business including social engineering, physical access and business continuity testing. These tests are designed to test your training, staff awareness, access controls and your business’s ability to survive and recover from the unexpected.
Where possible some or all of these should be performed on a regular basis, and often as a surprise rather than as a scheduled activity, to give the test a genuine feel and provide more realistic results.
So do you want security or compliance?
Compliance is probably cheaper and easier to obtain, although this may depend a large part on the regime you’re complying with.
Real security on the other hand is probably more expensive and involves more work. But ultimately it is also giving you and your clients something more. It’s providing a genuine level of protection for sensitive information and truly helping to safeguard data.