I've written several times about my frustration with the U.S. government's inability to connect with private industry to secure our national infrastructure. But an important point was made during a CSO Magazine interview, one that implies that it isn't just government managers who require behavior changes. The following is from an article based on a discussion between CSO staff and Amrit Yoran, the Department of Homeland Security's first director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection office:
The economic crisis will almost certainly lead to more regulation, but it's far too early to say how IT security will be affected, [Amrit Yoran] says.
However, he continues to see companies taking the misguided approach of viewing security through the prism of compliance. Compliance and security are not the same thing, and it's a misunderstanding people should be aware of as more regulations come down the pike.
"Too many companies are training to the test, so to speak, developing security programs specifically to pass the compliance test. You still see that a lot and it's scary" he says.Source: Security Predictions: Two Views of DHS, CSO Staff, CSO, 17 November 2008
The point I take from this relates to how business views its responsibility to protect sensitive information. According to Yoran, he is still seeing too many people viewing compliance as security. This is a big problem, one which security professionals should address whenever possible.
Compliance with Sarbanes-Oxley, for example, only means an organization's financial reports are trustworthy. It has little impact on protecting employee or customer data. Only when executive management directs internal audit to look beyond SOX during regular audits does PII make it into the discussion.
It isn't easy to shift perspective from compliance focus to security focus, a focus on securing the confidentiality, integrity, and availability of all sensitive information. It takes patience. Patience is an aggregate of persistence, tolerance, and acceptance.
As security managers, we must be persistent in our efforts to help managers and other employees see the importance of going beyond regulatory constraints. No matter how frustrated we may become, it's our job, our responsibility, to bring up the organization's ethical responsibilities whenever appropriate.
Shifting from a compliance view to one of security often consists of two steps forward and one step back. Instead of pounding on tables or conducting verbal whacking sessions, we need to be tolerant as others slowly move toward our vision of a protected information environment. After action reviews, root cause analyses, and well-timed awareness training sessions are more helpful than an aggressive, confrontational approach.
Finally, we need to accept the pace at which our managers, peers, and subordinates move toward meeting our strategic security objectives. As long as we make progress, and as long as foundational controls already exist to prevent negligent exposure of information, any movement is good. I'm not suggesting that security managers trying to mitigate risk by getting a firewall implemented between the internal network and the Internet, for example, should sit back and accept the inevitable. (And believe me, there are SMBs which continue to connect internal resources to external networks without any packet examination.) However, accepting the process necessary to shift perspective within our own organization's unique context, and steadily working within it to effect change, is an important element of management behavior modification.
Exercising patience will slowly move us toward the final goal withoug alienating our most important security control, people.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.