Whenever ugly incidents such as the security breach at the Hannaford Bros. grocery chain occur, the natural reaction of those in the industry is to look at them through the prism of security and accountability. That is, which part of the company's defense system failed and who is to blame? Once the "what" portion of this question is answered, we can then move on to the "who" part, assign some blame and move on to the next attack.
But looking at the Hannaford incident from a different angle reveals that in this case it's not necessarily a technology or a person, but an industry-wide mindset that's at fault here. The decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations has created a climate in which passing an audit or satisfying a regulator is deemed more important than actually doing what's necessary to protect critical assets. This, as we're seeing on a daily basis now, is a dangerous situation, and it's a problem that must be addressed within each individual organization if it's to be solved.
And for consumers not familiar with such standards and what they actually require, that will be enough in many cases for them to cut Hannaford a break. But the reality is that compliance is by no means synonymous with security. Compliance with PCI, HIPAA, Sarbanes-Oxley or any other regulation simply means that at the time of the most recent audit, the organization met the guidelines set out in the regulation. It does not mean that the organization monitors its compliance with those rules on a continuous basis. It is simply a snapshot of the company's state at one moment in time.
In order for compliance to translate into true security, companies must take to heart the painful experience known as continuous process improvement and constantly work to do things better. That's the way things work in the overwhelming majority of companies dealing with the ever-increasing regulatory burden placed on IT staffs these days. People work hard to do what's necessary to protect their companies' networks and customers while also having to satisfy the checkbox nature of many of these regulations and standards. Sometimes those two requirements mesh. But just as often they don't, and more's the pity it's leading us all down dead-end road.
No one would argue that PCI, SOX et al haven't done some good things for corporate America; certainly they have. But that's almost beside the point now, because in some cases those benefits are outweighed by the enormous amount of time and effort security staffs have to spend on compliance, often at the expense of other projects. We're now beginning to see the results of that compromise, and it's not a pretty picture.
The situation is likely to get worse before it gets better, however. Given the economic climate right now and the upcoming administration transition in Washington, more regulation seems likely as the new president looks to put his (or her) legislative agenda in place and make a mark. And, if the data breaches continue, which of course they will, you can bank on some kind of national disclosure law, as well as more federal regulations for organizations that handle personal information.
How's that for irony? We legislated our way into this mess and we'll probably try to legislate our way out, too.