First published on the NCC Group blog - 6th October 2014...
It probably won’t raise any eyebrows to know that for practically every penetration tester, security researcher, or would-be hacker I know, nothing is more likely to make their eyes glaze over and send them to sleep faster than a discussion on Governance, Risk, and Compliance (i.e. GRC); yet the dreaded “C-word” (Compliance) is a core tenant of modern enterprise security practice.
Security professionals that come from an “attacker” background often find that their contention with Compliance is that it represents the lowest hurdle – with some vehemently arguing that too many security standards appear to be developed by committee and only reach fruition through consensus on the minimum criteria. Meanwhile, there is continuous pressure for businesses to master their information system security practices and reach an acceptable compliance state.
Compliance, against public standards, has been the norm for the majority of brand-name businesses for over a decade now, and there’s been a general pull-through elevation of security performance (or should that be appreciation?) for other businesses riding the coat-tails of the big brands. But is it enough?
When I think of big businesses competing against each other in any industry vertical sector, I tend to draw parallels with international sporting events – particularly the Olympic Games. In my mind, each industry vertical is analogous to a different sporting event. Just as athletes may specialise in the marathon or the javelin, businesses may specialise in financial services or vehicle assembly,with each vertical - each sport - requiring a different level of specialisation and training.
While professional athletes may target the Olympic Games as the ultimate expression of their career, they must first navigate their way through the ranks and win at local events and races. In order to achieve success they must, of course, also train relentlessly. And, as a former sporting coach of mine used to say, “the harder you train, the easier you’ll succeed.”
I see compliance as a training function for businesses. Being fully compliant is like spending three hours a day running circuits around the track in preparation for being a marathon runner. Compliance with a security policy or standard isn’t about winning the race, it’s about making sure you’re prepared and are ready to run the race when its time to do so.
That said, not all compliance policies or standards are equal. For example, I only half-heartedly jest when I say that PCI compliance is the sporting equivalent of being able to tie your shoe-laces. Although it’s not much in the grand scheme of security, and while it’s not going to help you win any races, it’s one less thing to trip you up.
If compliance standards represent the various training regimes that an organisation could choose to follow, then “best practices” may as well be interpreted as the hiring of a professional coach; for it’s the coach’s responsibility to optimise the training, review the latest intelligence and scientific breakthroughs, and to push the athlete on to ever greater success.
In the world of information security, striving to meet (and exceed) industry best practices allows an organisation to counter a much broader range of attacks, to be better prepared for more sophisticated threats and to be more successful and efficient when recovering from the unexpected. It’s like elevating your sporting preparedness from limping in to 64th place in the local high school 5k run due to a cramp in your left leg, to being fit and able to represent your country at the Olympic Games.
My advice to organisations that don’t want to find themselves listed in some future breach report, or to watch their customers migrate to competitors because of yet another embarrassing security incident, or trip over their untied shoe-laces, is to move beyond the C-word and adopt best practices. Constant commitment and adherence to best security practices goes a long way to removing unnecessary risk from a business.
However, take caution. “Best practice” in security isn’t a static goal. The coach’s playbook is always developing. As the threat landscape evolves and a litany of new technologies allow you to interface and interact with clients and customers in novel and productive ways, best practices in security will also evolve and improve over time as new exercises and techniquesare added to the roster.
Improve the roster and develop the playbook and you’re sure beat those looming threats and push your business and customer service through the finish line.