In this post, we get insights from Tim Rohrbaugh, VP North America, ControlCase, along with Kishor Vaswani, CEO, ControlCase will present "Balancing Security and Compliance” at the North America Community Meeting in Las Vegas.
What are the key differences in compliance and security?
Tim Rohrbaugh: We are all products of our experiences. I came to security through the military, during the time of the cold war. For me, securing communication and information was real and tangible (think analog world). I would never have thought the act of assessing how we do security was very important. In hindsight, the disregard (harsh, I know) for the role of assessing (“compliance”), with respect to a security framework, came from the maturity of the security program that I was involved in. Fast forward through many seasons: I find myself knowing security strategy innately because of new and varied experiences, and now see the error in my thinking of long ago.
Applying long-held security disciplines in the commercial world is arguably still in a state of infancy. Why? The enemy is not clear. The corporate role held responsible for this task is siloed. Value is perceived and measured in varying degree. The consequences of ignorance or missteps or plain disregard vary, greatly. And lastly, there are too few people who assume the position of security practitioner. Simply stated, this is a complex environment for assessing one’s actions as appropriate to limiting loss.
In light of the preceding context, security goals are about limiting unexpected loss and mitigating consequences of a security event. Compliance is the act of agreeing to measure one’s approach according to a framework of best practices. The purpose or goal of agreeing to allow an assessment varies based on where you are in the maturity lifecycle. Less mature security programs mean you will value assessment as a blueprint of where to start and where to go (to a point). With a more mature security program, you are looking for validation and an elegant way to explain to others that you take security seriously; you know external validation can only help; and there is value in others knowing that they can at least use the assessment results as the basis for trust.
So, define the goals and apply the results of each to your advantage.
What are common missteps you see when it comes to balancing security and compliance?
Tim Rohrbaugh: Dedicating labor to compliance items at the detriment to the correct security actions defined by your risk assessment.
Chicken or egg- which came first? I’m not going to debate that one, but more to the point, which comes first- security or compliance? That one, I will invest time in an argument if you want… but security is the answer.
Big “C” Compliance is your adherence to federal or state law and little “c” compliance is your adherence to private regulations or contracts. All of these compliance requirements identify following a framework of “shall” statements. The framework is usually the result of lessons learned from security incidents. Which means that security (or lack thereof) came first and these best practices were put into a framework and the framework became what was required for minimum compliance…
Balancing security and compliance must mean that the security program’s first and foremost goal must be to take actions in order to protect shareholder, employee, and director/officer value by preventing/limiting loss. As long as compliance requirements align with those priorities, identified based on a risk analysis, then all is good. Though, if compliance drives capital and/or labor from the priorities, you have a conflict that needs to be addressed. This is colloquially referred to as the tail wagging the dog. Which is not a bad as it seems… the tail wagging may make the dog happy. Case in point, a study found that people who read a passage of a book with a pencil held between their teeth will rate the passage as funnier. This means the forced expression of the face modified the perception of what was experienced. Compliance can be used to feel and effectively be more secure, but only if the cost of this unnatural way of doing things does not sacrifice too much. E.g. If you have a budget already associated with the systems you need and you are at a crossroads because a compliance requirement obligates you to move monies to a different requirement that is less effective or all-together not the correct solution for reducing your risk, then the smile you receive from complying will quickly turn sour when you are breached.
So, focus on security first and use compliance gaps that align to justify the investment. But, if the compliance item is not material to your specific risk, seek additional investment from other stakeholders who directly benefit from compliance, all the while keeping your eye on the target- mitigate risk where the least effort brings the most risk-reduction in the short term.
Your presentation will highlight that compliance should be an outcome of security- can you explain?
Tim Rohrbaugh: I’ve long said that compliance is the byproduct of a well thought out security program. What this point of view means is that, in essence, a security program’s goal is to make a criminal’s job more difficult or to make human error less likely -or make it more identifiable. The goal of a compliance program is to measure a security program against best practices. Best practices are the combination of actions that a broad group has found were successful at defending against or missing, from security events in the past. So, if you find yourself in charge of a security program and you build the program and get support from management to do so, you will most likely take actions that are aligned with best practices. Also, you will most likely go beyond those best practices where your specific risk analysis dictates response is needed. What you should be left with in the end is the labor to produce the evidence required to demonstrate you are following the compliance framework.
What steps should organizations take to create a culture of security?
Tim Rohrbaugh: The first flaw that must be overcome in the commercial world is that security is the responsibility of a few. Unless we address this, very little change will occur. To create a culture of security, we must move to the belief that security is everyone’s responsibility. Everyone in an organization must embrace the responsibility to protect the company from those who want to steal it’s value or damage it’s brand. This is the natural state- protect your company because it benefits you. But of course, there are people who are more adept at security strategy. So, there needs to be leadership.
With that said, culture is difficult to force on a group of people. It can be developed slowly by using some tactics best illustrated in the book Switch- by Dan & Chip Heath. If you have not read this book, I strongly recommend it for anyone who wants to change or be part of a change movement. The simple metaphor that Dan and Chip use draws on a rider and his elephant being the two sides you must deal with when trying to change people’s minds. Right now we need to change people’s minds with respect to the role each person plays within security.
One important lesson I’ve learned is that the security program owner must first be the evangelist for security efforts, a mentor second and lastly a marketer. If the last seem like too great a leap, then they need to hire a marketer to help explain why a security approach and investment of time and effort ultimately benefits the company, employees, shareholders…
What is the one key takeaway you hope attendees will come away with after your discussion?
Tim Rohrbaugh: If a security program is the act of limiting loss based on the context of your specific and personal situation and compliance is the evaluation of those actions against a framework of best practices, then…
Proper security actions must be 90% foundational and 10% dynamic and compliance must be focusing on things that are 100% foundational.
Security is more an art than science. So the range to be debated is the 10% dynamic which varies based on the company and their specific risk and where they derive their feedback from. Compliance is feedback (how well you meet best practices or how well your program is viewed based on the evidence.
Want to learn more? Attend Tim’s session at this year’s North America Community Meeting in Las Vegas on September 20th - 22nd.
