GlobalSign Blog

26 Sep 2018

Regulatory Compliance Versus Real-World Risk Management: Don’t Confuse The Two

Whether you work in commerce, infrastructure, healthcare, or finance, complying with your industry’s unique set of security regulations is no doubt a chief operational objective.

Compliance standards like the Critical Infrastructure Protection Standards for the utility industry and HIPAA standards for the medical industry are valuable—essential, even—to ensure the uninterrupted flow of service and protect key stakeholders.

But compliance is only one side of the security coin. It’s not one in the same with real-world risk management, and organizations that want to maintain a strong security posture would be wise to understand the subtle but important differences between the two things.

Two Sides To The Security Coin

When it comes to compliance, there are often two views.

There’s the view you provide your auditor—the one that checks all the necessary boxes and says you’re good to go until your next mandated checkup. Often this view is an inflated expression (in some cases more than others) of your capacities.

Then, there’s the view that’s understood internally—that is, the reality of your capacities, controls on your roadmap, and other justifications for the difference between what the auditor sees and what is actually going on.

It’s important to understand that this discrepancy, usually, is not created maliciously, and it happens within many organizations. Compliance is a requirement for many businesses to operate, so it stands to reason that businesses will leverage available loopholes or other practices to ensure they remain compliant, and keep their doors open, while continually working to improve their security posture.

To avoid complacency, though, focusing on the last part of the previous sentence is key: continually working to improve your security posture. It’s ultimately up to you, not your auditor, to respond to evolving threats in real time and adapt to the ever-changing security landscape within your industry. It’s this active approach, not passing an annual audit, that defines a truly tenacious security stance.

If this ‘two view approach’ to compliance sounds new to you, it may be worthwhile to invest in learning more about your own security maturity. It’s important to ensure you properly understand your security controls, especially where and how they may differ from what you report to your auditor.

The Assessor’s Role

In many ways, compliance is more about the quality of the assessor than the security practices of the organization.

Not all assessors are created equal. Especially when asking questions about highly technical environments, they may not always understand the deep nuances or the questions may be open to interpretation. What can result is a mentality of ‘answering the question that was asked’—and only that—to avoid giving the assessor more information than they need.

Unfortunately, it’s an imperfect system. There are assessors who will deem companies compliant when they’re truly not. There are companies that outright lie about their capabilities. There are companies that should be compliant but that have not been assessed properly. That said, this will always be the case. There is no perfect solution.

Once again, it circles back to accountability and taking an offensive approach to your security stance. There’s no such thing as security being ‘done;’ it’s a bit of an enigma in that you will never be 100% secure.  Instead, it’s a maturity process that changes and grows with your company and its environment over time.

A Starting Point

Compliance is typically representative of a low bar; that is, it’s the minimum required to protect the data, networks, applications, or clients in question. Compliance should not be viewed as ‘good enough’ or a finish line to be crossed. Rather, compliance is a starting point.

That said, we all have to start somewhere. Perhaps for you, compliance is where you need to start.

Rather than focus on checking off requirements on a list, though, companies should work with professionals to understand their risks within their specific business context. When this is done properly, experts can help your organization create a plan to continually improve your state of security over time—or better yet, at a pace that makes sense for your company, for your customers, and for keeping your assets secure.

Like this piece? You might also enjoy:

About the Author

Ryan Manship is the president of offensive security firm RedTeam Security. RedTeam enables clients to reduce their security risk through penetration testing and helps clients better understand their attack surface through free resources like its security blog and industry compliance checklists. Ryan has a BS in Information Technology with an emphasis on Networking and Security with a double minor in Philosophy and Humanities. He has appeared on ABC News, Business Insider, FOX, Tech Insider, has been quoted in Los Angeles Times, Bringmethenews, the Star Tribune, CSO Online, and regularly speaks at various security events.

Share this Post

Write for Us

Apply Now

You might enjoy:

Understanding Ethical Hacking: 5 Common Pen Testing Myths