Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Library:Why IT Compliance Success is Not Equivalent to Security Success

From Aanval Wiki
Jump to: navigation, search

Back to Library Main

Why IT Compliance Success is Not Equivalent to Security Success: The Importance of Distinguishing Between Security Spending and Compliance Spending.


A number of businesses and organizations in selected industries are required to comply with privacy and data protection laws as well as regulations, legislations, and policies developed to protect both individuals’ and customers’ sensitive and confidential information. Compliance requires businesses and organizations to adopt and deploy a number of costly activities related to process, technologies, and people. These activities include making certain that IT staff members are dedicated to successfully meeting compliance as well as enabling technologies to reduce security risk. Compliance in general is comprised of a compressive set of steps or checklists that enable each organization to check its level of compliance against specific governance requirements.

The efforts to address and maintain industry compliance and governance requirements are difficult and complicated. The list of policies and standards are lengthy and there are no shortages of complications in arriving at a successful compliance stage. Compliance has become an intensely time consuming task for a number of organizations and their IT departments, creating an environment where substantial resources across the organization are dedicated to compliance tasks. Security experts and technology consultants including John Casaretto believe that with all of these extensive compliance activities taking place, “a reality arises in that despite all these efforts, security compliance is a noble but futile diversion to security practice and is actually just one component to the overall security picture. A lot of efforts are made by organizations to ensure meeting compliance mandates, but unfortunately most of the efforts are geared toward avoiding the financial risk of penalties for failing to comply with requirements. Even after all compliance efforts are applied, the underlying fact is that cyber criminals have variant ways to compromise their target that are likely not addressed by compliance standards.” One major security problem that compliance cannot detect and prevent are security threats and advanced attack techniques that are constantly emerging. Aggressive hackers seek to penetrate and attack networks, databases, websites, and applications, while malicious insiders are also more persistent than ever in working their way to successfully steal data in return for a highly lucrative payout.

Security experts suggest that compliance won’t necessarily protect organizations from hackers and cyber attacks, but it can be used at best in providing the necessary procedures to discover what may have happened after a data breach and to establish breach prevention policies and guidelines. Security experts are also quick to add that the rising security incidents involving insiders would be harder to detect, identify, and investigate without capable security technology such as a Security Information and Event Management (SIEM) to help deliver forensic analysis. As research studies conclusively report, the cost implications of cyber crimes each year continue to escalate, and businesses and organizations, as well as their IT departments, need to be certain that they are managing their organizations’ security risks affectively by utilizing the most capable security technology and not rely purely on meeting compliance to secure networks and improve overall security posture.

Why Regulatory Compliance Does Not Always Lead to Better Security

One of the Greatest Threats to the Implementation of Strong Security Controls is “Compliance Think.”

Francois Lasnier, a security expert at Bankinfo.security.com, stated “One of the greatest threats to the implementation of strong security controls is ‘compliance think,’ the phenomenon of working to meet compliance requirements, rather than focusing on action that meets the need identified by the compliance guidance. The time has come for stronger security, but the focus needs to protect both organizations and customers and not simply meeting compliance requirements.” Mr. Lasnier admits in his article “Moving Beyond ‘Compliance Think’ in Online Banking Security” that even with compliance guidelines set forth to provide stronger security controls within the online banking industry, “online bank organizations have not been able to keep up with the ever increasing sophistication of online threats.” The article further states that “‘compliance think’ led the industry to find the lowest common denominator for many security solutions - what would be the fastest most cost effective way to pass a compliance audit? While this approach certainly raised awareness for the security industry as a whole, the solutions deployed largely created the illusion of security, rather than actually making customers' online experiences more secure. Many solutions promised to provide a broad range of protection for online activity, but the financial industry has discovered that these solutions have fallen short of keeping up with the evolving threat landscape.”

The “compliance think” scenario can also be applied across other businesses and organizations in various industries required to adhere to compliance mandates. The false sense of security many businesses and organizations feel after being certified as compliant should be a major cause for alarm and concern. Compliance can create a false sense of security that seemingly tells organizations and customers that all networks, applications, websites, and databases are fully protected, but this is far from the truth. An article published by Infosecurity Magazine which discussed the concept on why compliance does not equal security interviewed Jim Jaeger, the Director of Defense and Commercial Cyber Solutions at General Dynamics. General Dynamics, having an extensive experience with investigating security breaches revealed in the article that “virtually every breach that they have investigated, that company has been certified as being compliant within the last year. In some cases the companies were being certified while the breach was occurring. In many cases, these compliance regimes give people an incredible false sense of security.” Mr. Jaeger was also careful to point out that regulatory compliance is still important. “But you can’t rely on the fact that you’ve been certified, especially when certification is conducted by companies you are paying for its services.” Overall Mr. Jaeger tends to view compliance standards as “pillars” for sound information security, but compliance must be built on the more solid foundation of a comprehensive network security program, in his opinion.

Why IT Compliance Success is Not Equivalent to Security Success

The Importance of Distinguishing Between Security Spending and Compliance Spending.

Khalid Kark, a senior analyst with Forrester Research Inc. and a reporter from Tech Target, discussed the concept of compliance and security and stated “the truth is that it's possible to have excellent security and be non-compliant, and it's possible to pass a compliance audit with flying colors and have poor security. The misconception that compliance equals security has led organizations to spend excessively on compliance, sometimes at the detriment of security. Many regulated industries now spend a significant portion of security resources on compliance initiatives. In fact, one enterprise slashed its security budget by 30% and postponed some of its security projects because the resources had to be allotted for dotting the i's and crossing the t's in its Sarbanes-Oxley (SOX) compliance efforts.”

In the Tech Target article “IT Compliance Success Doesn’t Equal Security Success,” Mr. Kark further discussed that the “companies that affectively balance security and regulatory compliance don't just follow the letter of the law. They typically go beyond what is required by a regulation, because it makes their environment more secure. The article provided a few helpful principles to ensure that information security doesn't get left behind. The first important principle advised businesses and organizations to base their security program on a security framework. “CISOs must develop their security programs based on security principles rather than on regulatory mandates. If a security program is based on compliance mandates, it will have to be updated or changed every time a new regulation comes along or even when an existing regulation is refreshed. Secondly, a regulation typically addresses one particular type of risk (i.e. protecting personal information, protecting credit card numbers, etc.), but does not address business risks including protecting corporate intellectual property or a business model.” The second most important principle suggest businesses and organizations to leverage compliance budgets for information security controls. Enterprises should ‘distinguish’ between security spending and compliance spending. CIOs often lump regulatory compliance spending with information security spending simply because the information security organization has been made responsible for regulatory compliance. CISOs need to educate management that security spending decisions not only extend to fulfilling regulatory compliance requirements but should also be based on the threats to the organization and aligned with corporate objectives.” Businesses and organizations should always invest in finding and utilizing the most capable security technology to detect, prevent, and mitigate security threats.


Regulatory regulations are intended to provide a generalized baseline for information protection; however, a number of businesses and organizations are still failing to recognize that compliance does not equal security. The focus on the checklist security audit approach has led some organizations to erroneously spend a significant portion of security resources on compliance initiatives resulting in inadequate security and at times a successful security breach. Compliance should be viewed as one component to the overall security picture and it should be built on the more solid foundation of a comprehensive network security program.

“IT Departments worldwide are facing a new era of security risks and persistent cyber attacks,” said Loyal Moses, CEO at Tactical FLEX, Inc. “We help organizations of any size and their IT departments meet these security challenges and to become more proactive in detecting and preventing various forms of security breaches from actualizing and disrupting business operations. We understand safety lies in monitoring computer security network systems and improving network visibility around-the-clock. Without capable network security technology that delivers complete network visibility, threat management, local network-security situation awareness, and forensic analysis, organizations are forced to operate in a reactive mode after attacks have occurred. Our Aanval SIEM and IDS solutions play an important role in securing many enterprises in numerous industries. Successful mitigations of malicious insiders and external cyber attacks requires enabling technologies such as Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS).” Over 6,000 organizations from various industries around the globe use Aanval because it provides a proactive tool to combat aggressive cyber threats and safeguard their virtual and physical assets.

To learn how Aanval SIEM and IDS solutions can help your organization mitigate security risks and improve overall security posture, please contact (800) 921-2584 or email sales.group@aanval.com[1]. For more information on Aanval, please visit http://www.aanval.com.