Being "compliant" doesn't mean you're secure. Compliance keeps you out of jail. Security keeps you out of the news. - Brian Madden - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Brian Madden's Blog

Past Articles

Being "compliant" doesn't mean you're secure. Compliance keeps you out of jail. Security keeps you out of the news.

Thanks for sharing your feedback! If your feedback doesn't appear right away, please be patient as it may take a few minutes to publish - or longer if the blogger is moderating comments.
Written on Apr 18 2013 6,193 views, 3 comments


by Brian Madden

Two of the big areas of concern around the consumerization of IT and BYOD are security and compliance. Whenever I start talking about users being able to do whatever they want, or users bringing in their own devices, people in the audience consistently bring up questions around these topics.

A lot has been written by actual security professionals on the topic of "security versus compliance," so I'm not going to get into all of the details and analysis of that relationship. Rather I just want to look at how the two issues relate in terms of the consumerization of IT.

When it comes to consumerization, I can summarize the relationship of compliance and security with the following Venn diagram:

The venn diagram of compliance versus security

Fig 1. The Venn diagram of "Compliance" versus "Security"

People have long argued that if you're secure, then you're compliant, but I don't buy that (especially in the context of consumerization and FUIT). There are just too many weird things in the compliance world that have nothing to do with security anymore.

It's easy to understand how we got here. The problem is that for the compliance part, the regulations were written at very specific times and now describe concepts and best practices that are ten or twenty years old. It would be great would be if the regulations were written like, "You must be secure." But that's a subjective statement that's impossible to audit against, so instead the regulations have to be examples, for instance, "You must use AES-256 encryption on your laptops" since that's easy for an auditor to look at and then check "compliant" or "non-compliant" on the audit form.

Being compliant while not being secure is evident in this photo. (I don't know how to attribute it as it's all over the internet and I can't find the original source.)

A compliant gate solution

Fig. 2. This gate is compliant

I'm sure that the gate in the photo above is compliant with whatever regulations cover gates. It's the right height. It has barbed wire across the top so it's the right level of security. Whomever ordered it probably said, "We need to restrict access to this road," so they consulted with the regulations which said, "You secure a road with a gate. The gate must be six feet tall, made of metal, etc." So they went and had their gate built. And this gate would even pass an audit, because the auditor would consult the same regulations as the people who built the gate. "You need to secure a road. The book says you need a gate. Let's see... Yep! That's a gate of the proper height with the right amount of barbed wire! Here's your compliance sticker."

Let's be honest, it's really about cost

So far most people reading this probably agree with the sentiment of this article. So what's the big problem? Like everything, it always comes down to money. Companies only have a finite amount of money to spend on IT (and IT security), and when it comes down to it, you are legally required to spend the money to be compliant. But do you have to spend the money to be secure? No! (I mean just cross your fingers and hope you don't have a breach, and if you do then blame someone else and get a job somewhere else.)

It's easy to spend money to be compliant. You buy X product to solve the "256-bit AES encryption" requirement of laptops, you buy Y product to enable "two factor authentication," you buy Z service to hunt for simple passwords. Those expenses are predictable AND you stay compliant. Score!

But how do you protect against FUIT and the greater unknown threats? Earlier this week I wrote an article describing how to rethink network and device security. While many people agreed with the general idea, some didn't like it because it was more expensive than the current approach. (By a lot!) I argued that to truly be secure, you have to do things like use an SSL-VPN for all your users (for all devices, on-premises and off), and you have to buy more advanced networking gear (each user on his own VLAN) and more advanced wireless gear (four devices per user). How much does all that cost?

It's way easier to ignore all that and to just buy the minimum you need to be compliant. And if you have to buy two million of your customers a one-year subscription to a credit score monitoring service since a user brought in their own device and saved that info into Dropbox, then that's fine. Your defense is that you were compliant and you fired that employee. Problem solved!

 
 




Our Books


Comments

Peter Fretty wrote re: Being "compliant" doesn't mean you're secure. Compliance keeps you out of jail. Security keeps you out of the news.
on Thu, Apr 18 2013 9:21 AM Link To This Comment

As you mention, it really does come down to costs.  However, far too often people look at today's cost rather than looking at the long term cost or implication to the organization. Not saying this is an IT pro's misgiving, but it often shows that at somewhere along the line the business case lacked the ability to demonstrate its value.

My view businesses need to pursue security and compliance in step with one another. There is a real need to understand the potential for ROI and the drawbacks of doing nothing.  Easy to say not always easy to do.

appdetective wrote re: Being "compliant" doesn't mean you're secure. Compliance keeps you out of jail. Security keeps you out of the news.
on Wed, Apr 24 2013 10:01 AM Link To This Comment

It's hard and expensive to do either when threats keep evolving and regulations are not clear and changing. It's all about risk management in the end. Regulators are so far behind the times, and if there were tech savy regulations then things could be better. I personally think the government needs to address this by making this a top level post of people are aware of what can and can't be done and define things that make sense. Not going to happen....

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.