Recently a client asked, ‘Do I have to do that to be compliant?’ in response to our cyber security recommendations. In truth that question gets asked numerous times in numerous ways. That type of question shows us one of the biggest problems in InfoSec today. Recently the PCI Council’s General Manager Stephen Orfei said “Compliance is one point in time. Reducing risk has to be our new mindset”. He could not be more correct.
Compliance and frameworks are great for baselines, and audits to validate that practices and procedures are in place and effective are a necessity. But to think that taking a single point in time and saying that as of that day, that hour, that minute, an organization is in compliance with a framework makes an organization safe is a fool’s paradise.
So what should organizations do? As stated by Mr. Orfei, keeping a risk-based mindset will take an organization down the road of both continuous compliance and a secure environment. Consider one small example, that of segregation. Some cases require segregation of protected information. But if it is not required does that mean an organization shouldn’t segregate sensitive information? Of course not! If by segregation you are reducing the attack surface, and therefore reducing risk by reducing how vulnerable the sensitive data remains, then the organization, whether mandated or not should segregate.
Developing this type of culture is key. A secure ecosystem is enhanced greatly if the culture of the entire organization has a mindset of reducing risk. Recently a developer said to a security consultant about a recommendation, “if it’s not required I’m not doing it”. Such a dangerous mindset. Let’s illustrate this, someone has a stack of 100 dollar bills, they have the option of leaving them out on the coffee table, hiding them under the mattress or putting them in a safe in the wall. Why wouldn’t they put them in the safe? Now what if they don’t have a safe? Then how much would it cost to put in a safe? Is it worth it? Depends on how many hundreds are in that stack and what is the cost of installing the safe. But a risk-based approach would make the individual think, at the very least, what is the most secure way I can store this stack of hundreds?
So let’s change the culture of our organization as much as we can instead of asking ‘Do I have to do it?’ Let’s start asking ‘why wouldn’t I do it’? when evaluating security inside our organizations.