We place so much emphasis on being compliant and passing security audits and checklists that offer the board and executive a warm, fuzzy, feeling of being protected. This false sense of security leaves you a lot less protected than you might think.
Whether it’s compliance with a standard like ISO 27001 or PCI, the Australian federal government’s Information Security Manual (ISM) 2016 or Office of the Auditor General’s review, compliance is demonstrating that you have met the minimum requirements for that body. The key word in this last statement though is “minimum,” and what you need to remember is that it’s their minimum standard, not necessarily yours. The biggest mistake made concerning compliance is organisations trusting that someone else’s minimum standard is their minimum. Thus, compliance becomes nothing more than mere box ticking on a compliance spreadsheet. The harsh lesson here won’t occur until you’re explaining to shareholders what the impact of the recent data breach will be because you were compliant, not secure.
Take the following example, a hardware manufacturer gets a clean bill of health from a governing body through passing their audit and are therefore compliant. Over a period though, they realise that stock is going missing. Despite one investigation after the other, they cannot pinpoint the threat vector (how it leaves the organisation) nor who the threat actor (person performing the action) is. After months of investigation they recall that they have CCTV of their dock, they go back and review it and bingo, culprit found, and vector identified. But hang on, they were compliant, and that stated they needed to have CCTV of their dock, so why did this happen?
It happened because the organisation trusted that being compliant meant being secure, what else could they have done then? Of course, they could have engaged a cyber-security professional to assist with their cyber security strategy which would align their business objectives with cyber security measures. You probably expected me to say that, but the fact here is that we engage a professional accounting firm for our financial arrangements, or hire an internal professional, why should this be any different? The cyber security professional will assist you to determine what security controls, procedural, logical and physical are required for you, to address the threats you face. In this instance, CCTV footage placed a green tick in the compliance box and then was left out there to flap about in the breeze, literally doing nothing. Instead, review of the CCTV footage should have been part of the incident response plan, the plan that should also have been engaged each time an incident occurred. Is there even an incident response plan? Is there a box on the audit schedule for that? See what I mean?
Another example is that of password management and specifically, complexity. The control out of the ISM states that where a passphrase is the only form of authentication used, then the password must be ten characters long and have at least three of the following traits:
- Uppercase
- Lowercase
- Numerical
- Special
Now, that doesn’t prevent someone from using Password123 as their password, which will be one of the first tries even a basic password attacker will try. Are you compliant? Yes, is it sufficient? No. There is a great deal more to consider in password management, but this demonstrates well that compliance with someone else’s requirements should not provide you with that warm fuzzy feeling of being secure.
So, please remember it is YOUR organisation, not theirs, you should determine what your security requirements are, based on the types of threats you face and the systems and services you have. I would strongly encourage you to invest in or engage a professional that can assist you with this process. If you are unsure where to start, perhaps consider contacting one of the professional bodies such as the Australian Information Security Association (AISA).
It’s your information and your business!
About the Author
David Stafford-Gaffney is an information risk and security professional with over two decades in the ICT sector in roles ranging from hands on technical, to operational management and business development. He has established two businesses from scratch and his strong business acumen enables him to understand acutely the need to align security with business requirements. He is passionate about leadership, Information Security and assurance and improving the industry as a whole.
