Few would dispute that regulatory mandates have forever changed the role of IT security. The risk of financial sanctions, public embarrassment and potential jail time for executives has raised security awareness from the back office to the board room.
"Roll the clock back a few years and look at the challenges security professionals had then," says Eric Litt, chief information security officer at General Motors. "They were trapped in the middle layer of management. They certainly didn't have the support or understanding of upper management. And if they were trying to make the right IT security moves, they were pushing snowballs uphill."
But it's debatable whether this increased attention toward regulatory compliance has had its desired impact and actually improved the overall IT security of regulated organizations. Many security managers, in fact, argue that compliance has to varying degrees weakened their priority--that the target sights have shifted from reaching a state of overall security to attaining adequate levels of compliance, and satisfying auditors' checklists.
"A lot of security initiatives in many companies got shelved. Everyone has a limited budget, so some security projects got pushed lower on the agenda," says Lloyd Hession, chief security officer at New York-based financial network services provider BT Radianz. He contends that technologies such as intrusion-prevention initiatives, enterprise digital rights management, and even network admission control were postponed in many companies to make way for the capital that needed to be spent on attaining compliance.
"All of those things are nice security projects, but it's hard to see how they get you to Sarbanes-Oxley (SOX) [compliance]," Hession says.
Tipping the Scales
In a post-September 11, regulated world, upper management could no longer keep its head in the sand regarding security.
"Security had to be addressed. So in that regard, compliance was a positive force for security practitioners," says Jerry Freese, director of IT security engineering for American Electric Power, a power generator and distributor based in Columbus, Ohio. In fact, in heavily regulated industries such as telecommunications, retail and financial services, more than 60 percent of respondents to last year's annual CSI/FBI survey say SOX has raised the level of interest in information security.
Regulatory focus has been a significant shift for security managers. A few years ago, IT security centered on technical defenses: network access control and segmentation, anti-x software, and updating intrusion detection sensors. Many chief information security officers were as comfortable working a Unix command prompt as an Internet browser, and would spend hours each day overseeing arcane firewall rule sets within cumbersome command-line interfaces. IT security was about closing network and application security gaps that could let criminals slither through.
"In many respects, we will look back on those days as simpler times," says Hession. "Reg- ulatory compliance has changed everything."
High-profile corporate account- ing scandals, followed by months of unprecedented data leaks, changed the landscape. The bad news kept rolling in, and so did the regulatory burdens that followed.
SOX changed the way the financial information of public companies is managed. The Patriot Act, passed in October 2001, brought unparalleled reporting and customer monitoring requirements, while the Federal Informa-tion Security Management Act of 2002 mandates cybersecurity enhancements among federal agencies. In addition, more than 30 states followed California's lead and passed data breach disclosure laws that closely modeled SB 1386. Pile on industry-specific mandates, such as the HIPAA security rules for health care, and the Payment Card Industry's Data Security Standard, and security managers are forced to balance security and compliance, and make some difficult decisions that don't always result in a more secure environment.
"Regulatory compliance has become a new threat," says Pete Lindstrom, a security analyst at the research firm Burton Group.
Regulatory mandates have forever altered how organizations perceive their risks. The Ernst & Young 2006 Global Information Security Survey, which queried 1,200 respondents in 48 countries, found that three years after Sarbanes-Oxley, attaining regulatory compliance is the top focus of IT security groups at 56 percent of those surveyed. and even trumps privacy and personal data protection, at 47 percent, and meeting business objectives, at 38 percent.
"There's definitely a degree of regulatory distraction out there," says John Pescatore, security analyst at research firm Gartner. "And even cases [where] regulatory demands have lowered overall security."
As an example, Pescatore cites that nearly every Sarbanes-Oxley audit requires quarterly password changes.
"That's a guaranteed way to decrease security. The end result is that people choose easier-to-remember passwords, or they're forced to use stupid passwords they're going to forget," he says. The result: the help desk gets flooded with password reset calls, which makes it easier to fake out the help desk. "This does two bad things," Pescatore contends. "It decreases security, and sucks budget away from activities that would have increased security."
Many chief information security officers also argue that aspects of regulatory compliance--such as focusing too heavily on audit controls, procedures, and satisfying auditors' demands--actually can increase risks to the information the regulations purport to protect. Pescatore points to cases in which companies are measuring compliance success by counting their regulatory controls and by increasing their total number of controls. "They'll argue that they're reducing regulatory risks because they now have 1,200 controls in place, whereas a year earlier they only had 800. But that doesn't mean you're doing better. You might actually be doing better if you had 600. People start focusing on satisfying the auditors rather than protecting the business," says Pescatore.
GM's Litt explains how the lack of a regulatory guidance baseline adds to the difficulty of achieving compliance.
"The downside of compliance is in the execution. Take three companies: Company A doesn't do anything when it comes to compliance. Company B has deployed some levels of detective controls. And company C is trying not only to detect problems, but also proactively prevent them. The problem is that all three companies can get written up for noncompliance. Company A gets cited for not doing anything, Company B for not being proactive enough, and Company C for pushing the envelope too far with not-yet-matured technology," says Litt. "There is no gold standard. No consistency."
AT&T senior vice president and chief security officer Edward Amoroso likens the need for standardization to the ubiquitous Underwriters Laboratories stickers on products where one sticker signifies some measure of quality.
"Could you imagine if you went and bought a lamp and there were 50 stickers all over it: SAS-70 approved, ISO-this approved, GLBA-approved, Sarbanes-approved? You'd imagine some frenzied lamp safety guy, bleary-eyed and drinking coffee, having completed 50 certifications to make sure the lamp is right. Well, that's us," Amoroso says. "Instead of one sticker we have 50 stickers, and they're all asking for exactly the same thing, but you end up spending time, time, and more time satisfying different auditors and different groups. It could be more effective to have generally accepted security principles, much like the accounting professionals have GAAP."
In many cases, these stickers don't equate to secure. Bruce Brody, former chief information security officer with the Energy Department and the Veterans Affairs Department and currently VP of information assurance at IT services provider CACI International, explains that agencies can follow the FISMA accreditation process 100 percent and remain woefully insecure.
"The first stage of the FISMA process is a risk analysis. And agencies often accept too much risk from the start. They then put the processes and controls in place to certify to that low level of risk. Their systems aren't secure. They haven't considered all of their interconnections, or the risks posed by subcontractors or business associates. They're exposed to too many threats. But they're compliant," Brody says.
That's why Freese says, no matter how crucial compliance is, the focus must remain on keeping systems secure. "Compliance isn't the goal; security needs to be the goal," he says.
Christopher Paidhrin, IS security and HIPAA compliance officer for Southwest Washington Medical Center of Vancouver, is a strong believer in technical controls to enforce security and maintain regulatory compliance.
To ensure patient information remains confidential and secure, whenever a nurse or a health care provider takes patient information on their notebook the information is encrypted at logoff, or when the system times out, Paidhrin explains. And if they forget their pass phrase, the system's hard drive locks after three tries.
"We want the staff to be able to take advantage of the productivity and convenience provided by technology, but we don't want any loss incidents that other hospitals and government agencies have suffered recently," he says. "Keeping that information encrypted when it's not in use is a way to do just that."
It shows that compliance and security don't need to be at odds.
Few know this better than Edward Sarama, corporate chief security officer at Checkfree Corp. While compliance efforts have certainly added organizational layers to his security program, and increased attention from customers regarding the company's security initiatives, none of this has weakened the company's focus on risk mitigation, he says.
"We always had security questionnaires from our customers inquiring about the security we have in place, but now we get explicit questionnaires to the tune of 50-plus pages of information that we have to fill out. It is kind of a checkpoint as to what we are doing or what they feel we need to be doing," he says.
Those questionnaires are backed up by more conference calls with auditing and compliance teams to further discuss the responses. "It's not much of a security burden, but requires additional resources and expenses. We already had a lot of the controls in place. So it wasn't that big a deal for management; it just was an additional expense that we had to account for," says Sarama. "It's just a part of business today. It's about keeping compliance and security controls in sync with your overall policies and efforts."
Not all companies have kept that focus, and some have fallen into the trap of focusing on regulatory compliance for compliance sake, says Brody.
"In many areas, it's become more of a compliance drill. There's a lot of emphasis on generating paper and controls that get to compliance, but not a lot of emphasis on putting the technologies in place that get you secure," he says, adding that he finds technical controls much more infallible than organizational policies and operational controls because of the human element involved in enforcement.
It's vital that security managers don't allow their organizations to lose sight of the ultimate goal.
"The desired end state should be a secure environment--and that'll get you a long way toward compliance," Freese says. "Security practitioners should always be thinking, and keeping their organization focused, on those terms."