Do we still have infosec compliance? Is the concept of upholding data and computer security outmoded?
I showed in my previous piece how early attempts at compliance were based on pre-computer principles of locks and keys, until organizations realized that model no longer fit. The new technology evolved so quickly that it became futile to look back to traditional ways for security solutions.
Being in infosec compliance is frustrating. We want to protect, not restrict. If you’re a compliance manager, you’ll be familiar with the positive arguments we put forward about how compliance enables business, how it inoculates against legal pitfalls and how it can enhance an organization’s reputation (so important for market competition). In spite of all this, security really is an inhibitor. In this era of technological breakthrough and pressure to innovate, compliance can seem like a ball and chain to technologists. To them, our pitches must sound like claiming seatbelts enhance driving.
What, then, is the modern argument for infosec compliance? From a compliance manager’s viewpoint, batting for it can seem to be a series of long innings, with computer innovation having an impressive variety of pitches.
On the other hand, most technology innovators will not openly oppose security any more than car manufacturers oppose better car safety. Through news headlines and personal experience, they too must be aware of the cost of security breaches, and how commonplace errors can lead to any size of business and any individual getting hurt. Quite reasonably, they will still want to see security controls eased (they won’t say “weakened”). They do want quicker uptake of innovation, especially where it gives advantages (however fleeting) through new ways of working and, of course, to profit margins.
The arguments for security are also frequently undermined by the natural drive for ease of access to data, i.e., ever more convenient availability. Trusted government services even rely on ease of access to meet promises of cheapness and reliability.
Let’s be optimistic and consider the most practical arguments for why compliance should survive in some form or another. Over the past few years, the number of people with computers (and even without) who have been affected by hacking, including its weaponization by criminals to extract money, has exploded. In 2016, 40% of millennials had already experienced cybercrime. The numbers are certain to increase, with 75% of the world’s population expected to have some form of digital access by 2022.
The ways in which people might be hurt in future will change too, as criminals (and, alarmingly, foreign powers) adopt new exploits for new technologies. Consider how our reliance upon Internet technology is increasing daily through the Internet of Things (IoT). And those “things” include ever more personal and domestic services, all very vulnerable to exploitation.
Even if that seems too speculative, we do know for certain that our critical national infrastructure has been targeted for attack for some time, and more recently, even our democratic institutions.
Technological innovation has become almost entirely private-sector-led since World War 2, but the wartime disciplines and traditions around security did not transfer from that age. Though this is a good thing for both democracy and progress, it also meant that the public sector and military bureaucrats, who were then entirely responsible for security, were left behind while innovation continued to multiply and accelerate.
Nowadays there are few government services that can claim to have better security than those provided by the private sector. And governments increasingly rely on the private sector to supply trusted government services to public, as a way of driving down direct costs to the public finances.
Perhaps unrestricted technology growth will lead to some future tipping point, when a critical mass of people is hurt so badly through cyber-theft of their money, goods and information that they demand security safeguards over technological advances. We have seen no sign of this yet: it certainly does not appear on any current election agenda. People still generally want their government(s) to make the ultimate standards of rules for society, so long as those rules do not stop them going about their peaceful business.
I was a latter-day security bureaucrat. In the three decades I have overseen security, the biggest challenge was making meaningful rules and regulations for innovations that had already galloped through to the next innovation, sometimes before any new rules could be tested. In short, government-centered security compliance simply cannot keep up with security changes.
Trouble With Laws
A big drawback of government controls is the slow process of lawmaking. Elected governments cannot control technological change, yet they can be pressured by electors to “do something” when the technology starts to hurt. But laws need consensus, which can easily be disrupted by the short life cycle of elected governments and their fickle agendas. Drafting new laws also needs expertise and funding, and the target of legislation can change quickly as new technologies create new security exploits.
An example is the UK’s Computer Misuse Act, drafted in 1990 to bridge a hole in UK law that had allowed shoulder-surfing hackers to escape prosecution. That law has had to be continuously amended to keep up with post-1990 exploits like DDoS attacks. But the continuation of such old-fashioned terminology in a title of law is a direct commentary on the inability of government to keep up with infosec.
Since the 1990s we have seen a number of significant new laws which, though not centered on computing, have affected it through regulation of data collection and management. For example, the U.S. HIPAA (Health Insurance Portability and Accountability Act) has had a significant effect on how patient data is handled, while the GLBA (Gramm-Leach-Bliley Act) puts legal constraints in how institutions can share information they hold about individuals. The regulations that underpin these laws have created small islands of good infosec compliance, upon which other infosec best practice can take root and grow. However, being based on a variety of laws, these infosec-backing regulations are not connected and are always at risk of being undermined by the repeal of legislation. Consider, for instance, whether an international banking organization would have better or worse infosec compliance if the Sarbanes-Oxley regulations were withdrawn.
More recently, the growth of connectivity across national boundaries has been a challenge to governments obligated to guarantee the privacy of their citizens. We have seen the first major attempt by the U.S. to accommodate data protection legislation (the GDPR) now enforced in the EU. This is a new area, where compliance is mandated for non-EU-based companies who handle data belonging to EU citizens.
Standards and Best Practice
Non-legally-based standards (e.g., ISO 27001 and PCI-DSS) support infosec compliance. They are more elastic than laws and regulations and able to grow alongside technology to allow for business innovation. They aren’t based on short-term government agendas and usually hold the promise (for organizations) of enhanced trust and therefore more business. These formats can require much effort to initiate and maintain through ongoing compliance checking and maintenance, sometimes by third-party assurance certifications.
Generally, organizations need some incentive to voluntarily increase their infosec compliance, and the promise of better security management measures, though very useful for infosec compliance monitoring, won’t do this. Some U.S. states have even attempted to integrate infosec standards into their laws, but this creates a legislative problem for the lawmakers of those states whenever the regulations need to be changed.
Maturity versus Compliance
The 2014 issue of Presidential Executive Order 13636 (Improving Critical Infrastructure) and the introduction of the Cybersecurity Framework marked a shift from traditional compliance towards the assessment of maturity levels for security. With an emphasis on critical infrastructure, the Cybersecurity Framework is a recognition that former expectations of full security compliance are unrealistic, and that organizations should seek well-developed security systems that are responsive to a wide range of security issues – that is, are “mature.” Organizations can now use a variety of assessment tools to calculate their security maturity and focus upon increasing their resilience as part of a managed program of improvement.
At present, security compliance rests on multi-faceted approaches: A company that handles medical matters may base its compliance upon mandatory (i.e., HIPAA) requirements while reinforcing these through best practice standards such as ISO 27001. Where tools are used to help combine and maintain these efforts (as with the Cybersecurity Framework), it should be fair practice for such an organization to claim they are an infosec-responsible organization, even with the expectation that some security events will occasionally get through its defenses.
Awareness Is Key
The inevitability of security events makes effective infosec awareness programs ever more important. Where automation and policies fail, we have to rely on the human factor as a serious defense.
The effectiveness of an infosec awareness program is now an even more crucial part of any compliance program. Well-managed infosec awareness and compliance materials will support this. With the increased emphasis on maturity, such programs must be innovative, flexible and able to assess user responses to security issues. They also need to underscore relevant legal concerns. As technology is personalized, miniaturized and domesticated, infosec awareness and user responsibility must surely grow.
In my next piece, I’ll look at likely future trends for compliance. I’ll consider the continued drift from corporate computing and office-based technology towards cloud-based data retrieval and the blurring of lines between corporate and personal computing.
Source: 2016 Norton Cyber Security Insights report
 Morgan, S. Security Ventures/Herjavec 2017 Cybercrime Cyber Report. Morgan also asserts that 3.8 billion of the world’s population had Internet access in 2017 and he projects 6 billion (75% of that future world population) will have it by 2022.
 For example, See US-CERT Alert TA18-074A: ‘Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors’ (March 2018).
 See ICA: “Assessing Russian Activities and Intentions in Recent US Elections” (January 2017)
 E.g., through (2011) Executive Order 13571 on Streamlining Service Delivery and Improving Customer Service
 See Hughes, M. The Computer Misuse Act: The Law That Criminalizes Hacking in the UK (05/2015)
 It’s impossible to list the number of services worldwide that could adopt ISO27001. However, for the sake of reference, around 39,500 certifications existed in 2017. Source: ISO Survey 2017.