Topic: The Compliance Equals Security Disconnect
“Use the tools at your disposal correctly, stay current on threats, monitor your security posture, and live a long, prosperous, secure life."
A discussion between Sean Costigan, Prof, George C. Marshall European Center for Security Studies, and Jeff Hall, Principal Security Consultant at Truvantis.
Sean: Welcome attendees to our webinar today where we will be discussing the security equals compliance disconnect. I'm Sean Costigan. I'm a professor at the George Marshall European Center for Security Studies, as well as the host of the Cybersecurity Summit Webinar Series. Now let me briefly introduce our speaker Jeff Hall. Jeff is a principal security consultant at Truvantis. He has over 30 years of technology and compliance experience. Jeff has done significant work with financial institutions, health care, manufacturing, and distribution industries, including security assessments, strategic technology planning and application implementation.
And Jeff is also part of the PCI Dream Team and the writer of the PCI Guru blog, which many of you know about. But if you don't highly recommend that, you do go to it. Well, welcome, Jeff. It's a pleasure to be able to speak with you today.
Jeff: Thank you. Glad to be here.
Sean: I hope I’m not doing too much of a disservice to it, but the blog itself is great. I'm one of your followers.
Jeff: Thanks. Yeah, I've written the blog since 2009. It is focused on PCI, but really if you substitute HIPAA, the rules there apply regardless. The PCI standard is probably one of the best data protection standards running around these days. I know a lot of people find it very prescriptive, but they have to be.
Sean: It's interesting because you're going hit right on this security and compliance issue. And I know PCI is a lot about compliance. So it'll be interesting to see how you thread that needle.
Jeff: You know, I wish I had a dollar for every time I've heard compliance is not security out of someone's mouth.
Jeff: Everybody says it, not just security people. You hear it from the C level, you hear it from middle management. Everybody says it's it doesn't happen. And I'm kind of a contrarian in this in this respect. The bottom line is we have frameworks, whether you pick NIST whether you pick PCI, CIS Controls, HITRUST, ISO, name your poison. The frameworks are the frameworks and I'll get into them a little bit later.
Jeff: But you start to wonder, isn't it an excuse? Do they have a point? What is the problem? Is the problem the framework? Is the problem even complying? It's always hard to say. And, you know, let's take a look at the word compliance. Conformity in fulfilling official requirements. Yeah. So if you're saying compliance isn't security, then it must be your framework that's messed up because you have to comply with the framework, you have to follow it.
Jeff: If it's not the framework, where are our problems? Is it in the documentation? Is it in training enforcement? Are we lax because we don't enforce the framework across the organization or is it execution? There has to be a problem somewhere in this mess that says compliance is not equaling security. And at the end of the day, if it's the framework that's the problem, then your security program is going to be a problem because you're following the wrong framework.
Jeff: And I know that's not the case because frameworks are developed by very, very smart individuals. Actually, groups of individuals. And so I just can't believe that the framework is the problem here.
Sean: Two questions. How much is compliance equal to security? I think you addressed that really well in your presentation, but maybe there's a one-word answer for that.
Well, the problem there is compliance does equal security. It's just that most organizations are very bad at complying with their security. Read the Verizon DBR. It's full of examples where people fail. And that's the problem. The failures become more and more large. And then you've got a big hole and you get a breach. So, you know, compliance equals security because you have to comply 100% of the time.
Jeff: Sadly, we only comply 90 or even 80% of the time. And we defeat defense-in-depth as a result. So that answers that. To Glenn's question about base commonality. Almost all security programs share their bases in one form or another around the NIST framework. I mean, the NIST framework been around what 30 years now so they all share that.
Jeff: And what they've done is for example, you take PCI and look at it, it's much more proscriptive around security. Even regarding networks and all that kind of stuff. I mean, they mandate DMZ, they mandate control of ports and services which interestingly enough, I will share this, in the SolarWinds breach there was one organization that had SolarWinds that had no problem at all with it.
00:06:40:17 - 00:06:47:01
Jeff: Any guess, Sean, as to who it was? Because it shocked the living daylights out of me when I heard about who it was.
Sean: Don't tell me it was Microsoft.
Jeff: No. Our friends at the Internal Revenue Service.
Sean: OK. The IRS.
Jeff: And the reason they didn't have a problem is because they have some of the most restrictive network egress rules of any organization on the planet. Right. And not only do they restrict egress, they monitor the living daylights out of it.
Sean: Well, on that note, let me thank you very much for giving us a tour of the horizon on all the different issues, you know, like security and compliance disconnect. I think it's been very fascinating for my side, too, to be able to hear. And I've taken copious notes. I hope that we have the opportunity to be in person and talk about it further.
And thanks to Truvantis for getting your time and allowing us to hear from you it’s a real pleasure.
If you'd like to be our guest at the Cybersecurity Summit, email firstname.lastname@example.org
The 12th Annual Cyber Security Summit takes place October 24-26, 2022, and is offered as a hybrid event in Minneapolis, MN and through our virtual platform provider, fairs.