Understanding the Purpose of Security Controls and the Need for Compliance

What are the brakes on a car designed to do? I have asked this question many times when speaking to customers or organizations who were dipping their toes into the audit space. Invariably, their answer was, “To stop the car.” At this point, I would then ask, “Then how do you get where you want to go?”What Is the Purpose of Controls and a Compliance Program?When people think about controls, especially in the information technology space, they think that controls mandated by auditors are there to get in the way. They have a feeling that all of the requirements behind PCI, SOX, HIPAA, NIST, NERC, etc. are there to prevent them from doing business the way that they want.Organizations that I have come across have the perception that if security or the auditors would get out of the way, they would be able to sell more widgets or make more gadgets. “We trust our people to do the right thing….” Underlying that is the unspoken phrase: “We hope they will do the right thing….”There is a well-worn cliché that stems from such a belief: Hope is not a strategy, and trust is not a control. As my old friend Gene Kim used to say, “Behind every FAA regulation is a plane crash.”The same can be said of every IT control that you find your auditors asking about:“Have you disabled TELNET, TFTP or other insecure services and protocols?”“Do you have a minimum of 13-character passwords configured?”“How often do users have to change them?”“Can they re-use passwords?”There are hundreds if not thousands of things that an auditor is looking for, and if your organization does not have an effective and efficient compliance program in place, you can feel like all of your time is spent answering these questions and producing evidence that what you say is true.The less defined your compliance program is, the more the auditor has to dig to get to the truth of the matter. They will select a representative sample of systems and make your IT and security staff log into each one and verify that you have in fact disabled TELNET or other services and protocols that been proven to be hackable in the past. The more effective your compliance program is, the smaller that sample size can be, and the less time your staff will need to spend doing all of this work. Even easier would be to have a solution that can proactively test these things for you and provide reports that you can just hand to the auditor.Executive Buy-in: The Key to Getting the Board on Your SideA critical component is this: how do we get our executive team on board with this?Tone at the top is the number one priority for establishing an effective and efficient compliance program. Without buy-in from upper management, there is no way that anyone below them will take audit requirements seriously. After all, if they don’t care why should we? Upper management, especially business line managers, are the ones who are most likely to be the ones who feel like security and audit requirements are going to get in the way of them doing the business they were hired to do.Some audit requirements have penalties attached to them. If you fail a PCI audit, the organization may not be able to take credit cards anymore. Failing a NERC audit may have large fines involved. Companies that fail a SOX audit may even have criminal charges applied.Those are all well and good, but what about companies that do not have these requirements? Does that mean that the CEO or CISO are able to ignore good audit hygiene? Do these companies not need to have an effective compliance program?That is the problem that many organizations face. How do we get that tone at the top when there is no compliance requirement? More often than not, they would be just as happy to sign off on some checkbox solution to the whole thing to make it go away.Whole books and treatise have been written on convincing the C-Suite of the importance of good controls even in the face of a lack of requirements, so I won’t bore you with those details here. However, we can get back to our original question, which was as follows: “What are the brakes on a car designed to do?”The True Benefit of Security ControlsUnlike the default answer provided above, I would like to posit a new way of thinking. The brakes on a car are not designed to stop it. Instead, the brakes on a car are designed to allow the car to go faster safely.This is the way that organizations, especially executives, need to start thinking about IT controls. They need to start thinking beyond the checkbox. The control is not there to prevent you from doing business. The control is there to allow you to do business faster. What car would you like to have? The Ferrari with no brakes or the Nissan Sentra with brakes? Which car would be able to navigate the twists and turns of a road course and make it to the finish line?In business, the road to profit is never a straight line. There are bumps, sharp turns, dips and other obstacles. Without the effective controls that a compliance program gives an organization, it is just as likely to careen off the cliff of bankruptcy or crash into the wall of public shame from a security breach as it is to break even or post lost revenue.Think of IT and security controls, as discussed in this white paper, as guide rails, brakes, or a steering wheel. They aren’t there to prevent you from getting to your destination. They are there to keep you on the road so you can reach it in one piece.