It was Albert Einstein who defined insanity as: “Doing the same thing over and over again and expecting different results.” But, yet again, the Government (e.g., the Cyber Security Framework or the Federal Financial Institutions Examination Council cybersecurity vulnerability and risk-mitigation assessment) is on the compliance band-wagon to attempt to drive industry to “up-their-game” and better defend their organizations from cyber-criminals and nation-state hackers. Within the U.S. Government administrative branch, the primary compliance mechanism is the Federal Information Security Management Act (FISMA). FISMA has been in-place for twelve very long years. Somewhere around year four, FISMA was quietly renamed by some federal Chief Information Security Officers (CISOs), as the “Feckless Information Security Measures Annually.” Of course, many industry sectors (e.g., financial, health and energy) have also been bitten by the cyber compliance/standards bug and, like their federal brethren, now have a very cynical view of compliance based cyber-security.
So, why is compliance based cyber-security consistently a bad idea and the target for so much cynicism? Truth-be-told, I think compliance standards actually do have a roll in driving healthy cyber-security programs. However, for many organizations, satisfying both the internal and external increasingly demanding “compliance police” has not only overwhelmed limited resources, but has created unbalanced cyber security strategies and protection measure implementations. As one CISO recently told me: “I’m the CISO but the compliance police set my cyber security agenda.” Obviously, this is a very unhealthy condition. Here is why:
First, compliance standards tend to paint a wide brushstroke of broad requirements that are often painfully obvious and even irrelevant. For example, while recently helping one of my financial institution clients prepare a response to a federal regulator, I was struck by how some of the questions were simply too broad and not very useful. One question requested the financial institution to choose five critical controls (from the SANS twenty critical controls) that most needed addressing at their institution. What? Has federal cyber risk compliance devolved into a game show? What if the institution has more than five critical cyber risks? Why not ten? For the life of me, I still cannot fathom how this question really helps both the regulator understand the institution’s cyber risk (well, maybe five of them) and, more importantly, help the financial institution better address their vulnerabilities; hopefully, they should know where they stand with all twenty.
Another issue is that compliance based cyber security tends to be “issue reactionary.” More than one CISO has complained to me that every year the “compliance police” have a new cyber “cause” that is of paramount concern and that everyone in cyber security should stop whatever they are working on and address the new compliance issue of the year. Remember white-listing? Two years ago compliance auditors wanted to know why financial organizations didn’t use white-listing software and how long will it take to get it? It really didn’t matter whether or not they truly understood the value/risk proposition involved in white-listing, but in 2012, it was at the top of the compliance checklist. However, in 2013, the top of the checklist issue seemed to be cyber-intelligence (no comment). Almost every auditor wanted to know if and how the organization was collecting and using cyber-intelligence to “get-ahead” of the next “hack.” However, it is 2014 and white-listing and cyber-intelligence are now low on the menu and now the big question is (feel free to guess and not read ahead), “Insider-Misuse.” With the Snowden affair still fresh, cyber security auditors everywhere are pushing CISO’s to crack down on privileged user access and to make sure we have no self-indulgent, emotionally challenged system administrators with too much access and a Russian passport.
Of course, the compliance angle that most aggravates every CISO is the “numbers metric.” How many viruses did you stop? How many got through? How many employees did you train? How many systems did you test and approve? And so on, and so on! Nothing is more frustrating to a CISO than having to spend critical cyber security cycles answering the numbers questions time and time again. Numbers do not stop sophisticated cyber criminals, very specific (tried and true) technical measures do!
So, what is the remedy for compliance driven cyber security? As I noted earlier, the issue is not really the practice of compliance reviews but how cyber security compliance overwhelms (and often minimizes) thoughtful strategy and risk-considered protection measures. Remember, the white-listing example? First compliance needs to focus on measuring the degree to which the cyber security organization (e.g., the CISO) performs cyber security vice being the measure of how well the organization performs cyber security. Compliance should only ever be a small part of an organizations cyber security strategy. Second, cyber security compliance reviews needs to focus on the ability of the organization’s information security program to influence IT strategic and tactical decisions. For me, the most important cyber security metric is whether the cyber security program is actively engaged in the approval process for new system deployments and existing system configuration changes. This tells me the level of priority the organization places on cyber security. The next thing to measure is how well the organization actually defends their IT systems and data from unauthorized access and misuse. The key question to answer is: Is there an actual (documented) strategy or a collection of compliance-driven things to do? This is a broad topic but there is now a well-understood discipline of both technical and process/procedures that can greatly minimize risk. Next, the compliance auditors need to focus on how well the organization knows and monitors their networks and systems for misuse and data exfiltration. Again, there is now a very clear body of sound (and measurable) evidence regarding how to do this right and how to do this wrong. Lastly, compliance auditors should focus on how well the cyber security function performs its own blue, white and grey hat testing of the organization’s networks and systems, and measure how well the test results are incorporated into changes in policies and IT architecture.
I recently trained a staff of IT auditors regarding how to more effectively measure their organization’s IT security program effectiveness. We began by breaking down the high-level regulatory compliance measures into sets of functional and detailed “measureable” metrics. First, we tossed out all “numbers” questions. Next, since this organization used Microsoft client/server products. Accordingly, the audit looked specifically at how well the organization secured their Microsoft client server environment, specifically, regarding access to the Internet! Similarly, we developed a set of security metrics to evaluate how well the organization protected all Internet facing systems and customer portals. We minimized all the broad and/or unmeasurable general risk questions and translated the trendy (questions of the year) into useful security metrics. For example, the vague questions regarding insider misuse were specifically restated to focus on how well the organization enforced data access rules and separated classes of privileged administrators. Not only did the IT auditors find this approach more useful and productive, but the IT operations and IT security organization were dramatically more cooperative and, for the first time, felt their time spent responding to the audit was time well spent. The CISO felt, again for the first time, that the IT auditors were not “driving” the cyber security agenda and were now clearly adding value to his program.