Compliance is a Minimum Security Standard, Not an End Goal

New laws and industry standards such as GDPR force affected organizations into an upheaval in order to meet the rigor of the new mandate. This compliance often means budget overhauls and rewritten policies and processes. And while there are benefits to the increased attention to and investment in data protection, this emphasis can also lead to a shift toward a misguided, compliance-centric approach to information security.

Compliance should never be the end goal of a security program, because regulations are rarely prescriptive and should only be viewed as a minimum standard.

Here are three reasons why:

1. Compliant Businesses Get Breached Too

It’s critical to remember that many—if not most—breaches disclosed in recent years occurred at compliant businesses. This means that compliance with the Payment Card Industry Data Security Standard (PCI-DSS), for example, has been unable to prevent numerous retailers, financial services institutions, and web hosting providers from being breached, just as the record-breaking number of healthcare data breaches in 2016 were suffered by HIPAA-compliant organizations.

2. Compliance, Stay in Your Corner

This trend reinforces how compliance standards should be operationalized and perceived. They are thoughtful guidelines for security that can help inform the foundations of a security program but are by no means sufficient. As a result, the most effective security programs view compliance as a relatively small component of a comprehensive security strategy.

While your organization will get some direction in areas such as data protection, privacy, and disclosure, there are many areas where regulations are not—and cannot be—prescriptive and offer little more than a strong recommendation to deploy a technical control, for example.

Therefore, it’s imperative to look beyond compliance when evaluating third-party risk, and conducting due diligence on prospective vendors.

For example, not all compliance bodies that enforce data storage standards mandate encryption. HIPAA in particular recommends, but does not require, that personal healthcare information stored electronically be encrypted. Just because a vendor for electronic medical record systems (EMRs) is HIPAA compliant does not mean it encrypts the PHI it stores. The same goes for GDPR; while the regulation strongly encourages that user data be encrypted and penalizes organizations that fail to safeguard user data effectively, it does not enforce encryption. This trend is echoed in the standards enforced by various other compliance bodies as well.

3. Static Compliance Programs Cannot Keep Up with Threats

Adversaries—whether seeking new ways to identify zero-day vulnerabilities or bypass the latest anti-fraud controls—are continually changing their tactics, techniques, and procedures (TTPs). These rapid shifts in risks and actual threats to organizations are reasons why security requires a dynamic and iterative approach to security.

Such an approach, however, contrasts significantly with the static nature of compliance standards and, as a result, compliance-centric security programs. HIPAA hasn’t amended its security requirements since it issued The Security Rule in 2003, despite the abundance of data breaches and ransomware attacks that have since struck the healthcare industry and compromised the PHI of millions of individuals. Updates to PCI, though more frequent, are outpaced by the speed with which threats evolve. Although the implementation of European MasterCard Visa (EMV) chip technology, for example, has helped reduce the prevalence of payment card fraud, various other types of fraud—ranging from gift card fraud to identity theft and tax fraud—have since increased.

Despite the fact that compliance standards should be but one component of a larger security strategy, achieving and maintaining compliance remains a burdensome and resource-intensive process. Factors ranging from strict deadlines and implementation complexities to steep non-compliance penalties are why, for many organizations, adopting a compliance-centric security approach can seem like a reasonable and judicious decision. But above all else, it’s important to remember that while many compliance standards do provide substantial security benefits, they are neither comprehensive nor flexible enough to serve as the sole focal point of an effective security program.

Block has been deleted or is unavailable.