Compliance is not a proxy for due care

Regulatory compliance is a necessary step for IT leaders, but it’s not sufficient enough to reduce residual IT security risk to tolerable levels. This is not news. But why is this the case? Here are three reasons:

  • Compliance regulations are focused on “good enough,” but the threat environment mutates rapidly. Therefore, any definition of “good enough” is temporary. The lack of specificity in most regulations is deliberate to accommodate these factors.
  • IT technologies change rapidly. An adequate technology solution today will be obsolete within a few years.
  • Circumstances and IT networks are so varied, that no single regulation can address them all. Prescribing a common set of solutions for all cases is not possible.

The key point to understand is that the compliance guidance documents are just that — guidance. Getting certification for the standard, while necessary, is not sufficient. If your network becomes the victim of a security breach and a third party suffers harm, then compliance to the guidelines alone will not be an adequate defense, although it may help mitigate certain regulatory penalties. All reasonable steps to mitigate the potential for harm to others must have been implemented, regardless of whether those steps are listed within the guidance.

A strong security program is based on effective management of the organization’s security risks. A process to do this effectively is what regulators and auditors look for.

‘Twas the Night Before Christmas – an EventTracker Story

Christmas Tree

‘Twas the night before Christmas and all through HQ

Not a creature was stirring, except greedy Lou –

An insider thief who had planned with great care

A breach to occur while no one was there.

Lou began his attack without trepidation,

For all his co-workers were on their vacations.

He logged into Payroll and then in a flash

Transferred to his account a large sum of cash.

But Lou didn’t realize that what he was doing

Had sent an alert that something was brewing.

And who was receiving this urgent alert?

Why EventTracker’s staff, who are always at work.

While monitoring all of their client locations

EventTracker’s team received notifications.

Their software had noticed some behavior changes

That seemed to fall outside of the normal ranges.

Immediately, they picked up the phone

And rang for Lou’s boss, but no one was home.

But EventTracker’s staff had more than one number.

And Lou’s boss heard his cell, despite being mid-slumber.

During the call, they exchanged information.

And while Lou’s boss called the police station,

EventTracker immediately got to work

Shutting down Lou’s access to HQ’s network.

Lou is now spending his Christmas in jail.

And the money he stole was returned without fail.

As for EventTracker, what else can I say?

This story will be one more Catch of the Day.