Everyone who is related to security in any company understands the complexity associated with meeting all the regulations that are imposed by compliance requirements. Failing in that can lead to significant losses and other unpleasant consequences, so everybody do their best to live up to the challenge. But there is a problem with that.
Being compliant for most people means that they meet all security and safety regulations and therefore there is nothing else to worry about in terms of security. This is a common misconception that has to be eliminated. And here’s why.
How Compliance Helps Security
Let’s start with the positive part. Indeed, being compliant means that your company meets the regulations that it has to work under. Quite often compliancy really fills in the security gaps that are common for certain industries.
Compliance is a strong motivator for companies to be up to date with the modern world, it’s an incentive that can help businesses to be more secure and live up to the standards:
- Compliance can be a strong motivator to start thinking about security, a reason to start improvements;
- Compliance can drive budget to security;
- Compliance can define the absolute minimum security levels that everybody needs to have.
As you can see there is indeed a strong relationship between those two. But yet it doesn’t mean that they are equal.
How Are They Different
Compliance defines the minimum security level that everybody should have. It doesn’t guarantee that it’s enough. And in fact, in most cases it clearly isn’t.
It’s like having a door in your house. Being compliant would mean just having some sort of door. But if you really want to keep your home safe, you would at least add some locks to your door or even change it for a reinforced one. Despite the fact that no locks are actually required, you will still add them, won’t you?
Another problem arises from the fact that for many companies out there being compliant just means keeping the auditors happy and ticking all the boxes that they provide.
Import-Module ActiveDirectory
$file = "\\SERVER\Share\users.csv"
$targetDN = "CN=Users,DC=domain,DC=com"
$importedUsers = Import-Csv $file
foreach ($user in $importedUsers)
{
$user.Password = ConvertTo-SecureString -AsPlainText $user.Password -Force
$user.Enabled = [System.Boolean]::Parse($user.Enabled)
$user | New-ADUser -Path $targetDN
}The checkbox mentality is a dangerous path to choose. Many companies that are ‘compliant’ on paper have suffered significant breaches. That is a really painful way to learn that you needs an advanced security program that goes beyond the basic levels defined by compliance requirements.
It is also vital to understand that compliance is a set of approved rules that can take a lot of time to change, meaning that they are really slow to respond to the constantly evolving situation in the world of security. New threats arise every day and it is your problem to keep up with them. If you really want to be secure, rely on yourself, not on somebody else who is composing compliance requirements.
Conclusion
At the end of the day, being compliant hardly means being secure in the real world. That is a problem that practically all companies can face, but unfortunately not all of them realize that the problem is actually there.
The message is that differentiating between ticking all the compliance checkboxes doesn’t mean that there are no security issues that should be addressed. There are lots ways that security can be improved beyond the regulation limits. Use compliance as a starting point, but don't stop after that.