The question "how much is enough" in regard to security spending has been explored by many researchers. Industry seems to have answered the question simply as "spend just enough to pass the next regulatory examination." Regulatory security standards are intended to provide a generalized baseline for information protection and organizations are failing to recognize their own security requirements do not directly map to any single standard or set of standards. In fact, the very elements within an organization that do not overlap with a standard may present the most challenging risks.
Unfortunately, it appears many institutions have settled on the misguided notion that compliance and security are essentially synonymous and as a result have significant unmitigated risks. Simply stated, the checklist security audit approach is easy to understand and budget for, but the result is inadequate security. The Heartland Payment Systems breach demonstrated how an emphasis on compliance may not be reasonable as the company was damaged by a huge breach despite apparent compliance with the PCI Data Security Standard.
Organizations that invest heavily in compliance programs are prone to confuse their efforts with sound risk management. They often exhibit a lack of appreciation for even basic concepts of information protection. For example, I recently applied for a mortgage loan through a very large bank, and during the process was requested by bank staff to send personal documentation to them via clear text email. After pressing the issue, a manager responded with patronizing assurances about the "strength of the bank's email server security." This casual misuse of clear text email extends beyond business areas, however, as detailed network diagrams, controls architectures, audit reports, and security scans are routinely circulated through clear text within many organizations and of course, over the Internet.
Information protection regulatory oversight in the financial services arena initially provided a minimum standard of practice to organizations that were struggling to assimilate new technologies into their business model. Organizations certainly needed guidance about managing basic technical risks and for many years, the mere existence of mandated controls warranted a passing grade from the regulator. A logical next step in the maturing of the oversight process should be increased emphasis on proving operational effectiveness: ensuring controls are actually working on a continuous basis.
Instead, it appears the major emphasis of new regulations will be on expanding the reach of government during theoretical widespread cyber events rather than developing better mechanisms to ensure current standards are actually applied correctly. This summer, a variety of sources reported on a leaked copy of draft cybersecurity legislation that appeared to suggest the White House could intervene directly into private corporate networks in the event of a widespread "cybersecurity emergency." Such law would represent unprecedented insertion into a private and sensitive aspect of internal corporate operations. Furthermore, there appears to be an emerging requirement for organizations to periodically file copies of their network diagrams with federal authorities, which would have the unintended consequence of creating a highly sensitive repository--and a potential treasure trove if breached. Any proposed insertion of government directly into the operational incident response chain of private entities is worthy of scrutiny, particularly in consideration of the well documented struggles of the federal government in protecting its own information assets.
It's generally accepted that security needs to be proactive but the emphasis at the federal level appears to be on reactive elements, which runs counter to the basic fact that most attacks on computers and information are not widespread and do not employ exotic methods. Most incidents include narrowly focused tactics that exploit simple vulnerabilities or employee negligence. The idea that the federal government may one day be capable of delivering an effective response force, capable of inserting into an unfamiliar network in the midst of a crisis and effectively blunting an attack is laudable, but to assume that this capability currently exists or can quickly be established is simply not wise. However, should this bill become law organizations will be faced with yet another compliance checklist, one that says, "Leave the back door open for the feds and send us a map."
If there is any chance of improving the state of information protection across critical infrastructure, the value of statutory compliance cannot continue to be overstated. Emphasis needs to shift away from checklists and towards identification, assessment, remediation, and testing of each organization's unique risks. While it appears government is posturing to present even more standards, and perhaps set conditions for direct intervention during a breach, organizations would be better served by funding security investment according to their respective risk models and no longer remain comforted by simple adherence to the FFIEC examiners guidebook or the PCI Data Security Standard.
Paul Rohmeyer is a faculty member in the graduate school at Stevens Institute of Technology. He provides technology risk management guidance to firms in the financial services industry, and previously held management positions in the financial services, telecommunications and pharmaceutical industries. Send comments on this column to firstname.lastname@example.org