Oh… For Compliance Sake!

Oh… For Compliance Sake!

Blog by Chris Gausden, Arcanum Principal Consultant.

I have had an extended career in Cyber Security (AKA Computer security/Information Assurance/Information Assurance and Security etc). During that time I have always perceived the existence of 2 distinct camps; those who cling to frameworks and detailed policies/standards who focus wholly on compliance as the primary goal, and those who are able recognise the benefits in looking objectively at real world security risks and possible mitigations to find the right cost/risk balance.

Compliance certainly has its place in the world of Cyber, ensuring that specific risks and issues are considered, and a common minimum standard of risk mitigation is applied to those issues, but does it always guarantee that an organisation is appropriately secure?

In my experience many organisations seek to acquire cyber compliance “badges” as a marketing tool to attract security focused customers but pay little attention to their real purpose. Even if a compliance process with its inevitable manual audits is undertaken properly, they often deliver no more than a snapshot in time…a security “MOT” for IT with no long-term assurance of establishing and maintaining the mitigated/accepted risk balance. In this new age of dynamic business IT, using cloud/virtual technologies allow you to change the way in which your IT is functioning quickly with little traditional reference documentation and cyber must learn to keep pace.

Blind compliance to a fixed generic set of requirements satisfied with simple controls is not really the answer. So, what is the answer? Firstly cyber must recognise that its role is to secure the business from real world risks and to do that it must have a current understanding of the business, its processes and functions and all its risks, with security being just one of them. Cyber must also have a current view of the business technologies used now and planned for the immediate future and the location and priority for all business assets (technology/people/facilities/data/processes). It must also take responsibility for the security of all of them without causing unnecessary impacts on their efficiency, with the necessity of any impacts being judged by the business not the cyber team.  The final trick is to provide a continual and realistic view of the true level of security risks mitigated, versus those that must be accepted by the business. This last activity must be a dynamic picture that changes day to day with business related world events, new cyber security vulnerabilities and global incidents as they occur. To achieve all of this, Cyber must earn its place in the business model, be fully integrated into all business functions, and be accepted by all of the company’s employees as an essential part of that business.

This view seems to be shared by a number of professional cyber security organisations including “Getadvanced” who provide a simple diagrammatic view in the venn diagram in this blog article [1].

In a previous role, my team represented the security services provided to the business by cyber security operations grouped under the service delivery name “ARGUS”. ARGUS PANOPTES was a hundred-eyed giant of Argolis in the Peloponnese. … Hera rewarded Argus for his service by placing his hundred eyes on the tail of her sacred bird, the peacock.

This involved the creation and operation of a business supporting an appropriately affordable security operations capability, attuned to the probability of identified business threatening security risks manifesting themselves not just the possibility. Argus was made up of a carefully defined number of cyber security services (eyes), that were continuously focused on existing and emerging business security risks providing a variable measure of protection, detection, and post event analysis data to support technical and security investigations. It also gave an up to the minute view of mitigated/accepted security risks to support critical business decision making. This made the business both secure and compliant. Every company needs its Argus but one that maps into its business needs not the same one for all based on a simple compliance model.

Remember if you are appropriately secure, you should be compliant but, just because you are compliant it does not necessarily mean that you are appropriately secure.

Come and talk to Arcanum about your real-world cyber security worries and compliance requirements (ideally in that order).

Get in touch by calling: 01558 66914, or alternatively email: marie.caruso@arcanumis.com



[1] https://www.getadvanced.net/technology-blog/article/why-being-compliant-is-not-the-same-as-being-secure