BOSTON -- Regulatory compliance is a necessity for nearly all organizations, but security industry experts say...
enterprise security programs consumed by compliance may risk falling behind the fast-paced world of cyberthreats.
Wednesday during a panel discussion at the 2015 SecureWorld Boston conference, a number of vendors spoke about the state of emerging threats, including "typosquatting" URLs taking users to malware-laden websites, domain shadowing, shadow IT and mobile malware. Yet all the panelists emphasized how regulatory compliance may have a negative effect on security, specifically in terms of how quickly security can adapt to threats.
Thomas Bain, vice president of marketing and security strategy for Waltham, Mass.-based security vendor CounterTack Inc., noted that regulatory compliance can serve as a mechanism to augment an information security budget, but that compliance processes should be seen as a solid foundation for a security program rather than an answer to all of an organization's security concerns.
"Compliance is a good way to get a security product into a budget," said Bain, "but compliance mandates don't tend to be prescriptive; it's more about having a framework."
Ben Desjardins, director of security solution marketing for Tel Aviv-based application security vendor Radware Ltd., said that the majority of security spending is focused on compliance, but within that reality there exists two basic problems.
"Compliance regulations move slowly and can't keep up with the evolution of threats," Desjardins said. "Also, compliance initiatives tend to be focused on confidentiality and integrity, and overlook availability."
Dave McCulley, systems engineer for Austin, Texas-based security analytics firm Click Security Inc., said that in addition to a focus on regulatory compliance, a big contributing factor to security lagging behind threats is the mentality of some organizations to implement security that is merely "good enough."
"You're all in a race with each other, because attackers will go after the easier targets," McCulley said. "Good enough security is never good enough, because you always need to be better than someone else."
McCulley also noted that constant budget constraints make information security program management an ongoing challenge, but the reality is that adversaries are increasingly well-funded -- often having large R&D departments -- because they are state-sponsored or connected to large criminal groups.
Dana Wolf, senior director of products at San Francisco-based security vendor OpenDNS Inc., said that being aware of how focusing on regulatory compliance can impact overall security will help, but it is also important for organizations to be more proactive in adopting new security technologies.
Wolf said that the enterprise tends to be slow to adopt new security technologies before they have had time to prove themselves in the market, but this reticence only exacerbates the problem of lagging behind the speed at which threat actors move.
"I would challenge people to open minds and not be so hesitant to try new technologies," said Wolf, "because that will help keep pace with threats."
Nick Lewis discusses tactics for detecting and mitigating advanced evasion techniques.