Essential Guide

How to prepare for the emerging threats to your systems and data

A comprehensive collection of articles, videos and more, hand-picked by our editors

Emerging cyberthreats exploit battle between compliance and security

While regulatory compliance is valuable and necessary for enterprises, cyberthreat experts say a compliance-centric security strategy may leave organizations with few resources to ward off emerging cyberthreats.

BOSTON -- Regulatory compliance is a necessity for nearly all organizations, but security industry experts say...

enterprise security programs consumed by compliance may risk falling behind the fast-paced world of cyberthreats.

Wednesday during a panel discussion at the 2015 SecureWorld Boston conference, a number of vendors spoke about the state of emerging threats, including "typosquatting" URLs taking users to malware-laden websites, domain shadowing, shadow IT and mobile malware. Yet all the panelists emphasized how regulatory compliance may have a negative effect on security, specifically in terms of how quickly security can adapt to threats.

Thomas Bain, vice president of marketing and security strategy for Waltham, Mass.-based security vendor CounterTack Inc., noted that regulatory compliance can serve as a mechanism to augment an information security budget, but that compliance processes should be seen as a solid foundation for a security program rather than an answer to all of an organization's security concerns.

"Compliance is a good way to get a security product into a budget," said Bain, "but compliance mandates don't tend to be prescriptive; it's more about having a framework."

Ben Desjardins, director of security solution marketing for Tel Aviv-based application security vendor Radware Ltd., said that the majority of security spending is focused on compliance, but within that reality there exists two basic problems.

"Compliance regulations move slowly and can't keep up with the evolution of threats," Desjardins said. "Also, compliance initiatives tend to be focused on confidentiality and integrity, and overlook availability."

Dave McCulley, systems engineer for Austin, Texas-based security analytics firm Click Security Inc., said that in addition to a focus on regulatory compliance, a big contributing factor to security lagging behind threats is the mentality of some organizations to implement security that is merely "good enough."

"You're all in a race with each other, because attackers will go after the easier targets," McCulley said. "Good enough security is never good enough, because you always need to be better than someone else."

McCulley also noted that constant budget constraints make information security program management an ongoing challenge, but the reality is that adversaries are increasingly well-funded -- often having large R&D departments -- because they are state-sponsored or connected to large criminal groups.

Dana Wolf, senior director of products at San Francisco-based security vendor OpenDNS Inc., said that being aware of how focusing on regulatory compliance can impact overall security will help, but it is also important for organizations to be more proactive in adopting new security technologies.

Wolf said that the enterprise tends to be slow to adopt new security technologies before they have had time to prove themselves in the market, but this reticence only exacerbates the problem of lagging behind the speed at which threat actors move.

"I would challenge people to open minds and not be so hesitant to try new technologies," said Wolf, "because that will help keep pace with threats."

Next Steps

Nick Lewis discusses tactics for detecting and mitigating advanced evasion techniques.

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

How to prepare for the emerging threats to your systems and data

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What challenges does your organization face in staying compliant with regulations?
Cancel
Though compliance is a good way to get a security product into our budget, its mandates don't tend to be prescriptive; it is more about having a framework and it should be seen as a solid foundation for a security program. However, it is challenging that compliance regulations can not keep up with the evolution of threats because it moves slowly. Also, compliance initiatives tend to be focused on integrity and confidentiality, and overlook availability.
Cancel
we are currently working through two compliance related feature sets and reviews. One is related to Security (which is an easy sell and the work done to fix issues has been pretty quick) and Accessibility (which is a bigger issue, and we have done a lot with it, but it's more of a requirements for selling in other countries. It's less of a mandate in the USA, though we have had some large customers request changes because accessibility is mandated for them. Both are interesting in showing that compliance isn't a one time thing, it's an ongoing endeavor. 
Cancel
In my opinion, time is the biggest drawback of regulatory compliance, which limits the promptness with which enterprises can adapt and respond to security threats.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close