I am often asked to explain the difference between a security compliance audit, a vulnerability assessment, and a penetration test. These exercises do many of the same things, but to a different degree. A security compliance audit is like a 5K fun run, where a vulnerabilty assessment is more like a marathon. A penetration test is an iron man competition.
In the course of my professional practice I work with many organizations and companies that are in government regulated industries or need to meet some sort of security compliance standard. If you take credit cards, for example, you need to meet the PCI-DSS compliance standard for cybersecurity operations. If you are in health care, then it is HIPAA-HITECH. If you are in the DOD supply chain, then it is NIST 800-171. For companies that work in these regulated spaces, becoming and remaining compliant is important.
But compliance is not security. Compliance standards are essentially a MINIMUM set of security requirements. The Titanic had the required minimum number of lifeboats. The o-rings for the space shuttle Challenger met a set of minimum standards too. Meeting minimum cybersecurity standards is not a guarantee that your company is secure, in fact meeting just the minimum pretty much guarantees that you are not secure. The reason for this is that government regulations and security compliance standards lag behind the current state of the cybersecurity environment. In other words, they are out of date.
This is why I don’t give a damn about compliance. I am interested in helping my clients become truly as secure as possible, given their industry and budget. If I get you to a place of relatively high security, you will automatically meet whatever compliance standards that apply to your company.
I get the most resistance from the C-suite. If you are a CEO, cybersecurity does not move your metrics or help you with your quarterly bonus. CFOs generally hate cybersecurity because it is expensive, relatively speaking. Even CIOs can give push back, as budget dollars going to security initiatives generally come out of the budget for other IT initiatives that have a more direct impact on employee performance or customer satisfaction.
So let’s imagine for a minute that your company has suffered a serious cyber-breach, and client information is in the wild. Eye Witness News in parked in front of your building. Is this your message? “We are fully compliant with all industry security regulations but didn’t think it was important to spend the money to fully secure our network, so we got hacked anyway.”
There have been a few ritual beheadings of CEOs following breaches, lately. We also have seen it negatively impact an acquisition (Yahoo) and reduce the price the acquiring company finally paid. These issues do move metrics in the C-suite, or at least can get them engaged through self-interest.
So we are seeing cybersecurity become more important to company boards and senior managers. This is encouraging. For those of us who have made this our life’s work, we can only hope that this trend continues.