At work today, I found myself fighting he same battle again – The battle I have faced at this job more than I have seen in past roles. The battle is between being “Compliant” and being “Secure”.
In 2009, Heartland Data Systems reported that they had been breached to the tune of greater than 130 Million credit card records. The company had all of the appropriate certifications and attestations to state that they were compliant with the PCI DSS and other security controls tests, however their defenses were so weak that even with the controls associated with the DSS, they were breached.
Fast Forward a few years to Global Payments. They were breached to a reported 7 million records. They were compliant and had the ROC to prove it. However, their defenses were also weak.
Both companies rebounded well, even though it may still be too early to tell with Global Payments. Once properly scrutinized from a security and risk standpoint, the proper and appropriate controls were put into place. Heartland is an industry success with their resurrection. They emerged stronger and more compliant, but not because they focused on being compliant – they focused on being secure.
I work at a company with a rich history of getting budget approved and making changes by bludgeoning the reluctant with threats of noncompliance. The culture permeates all support and other non revenue-generating groups, sales, product support and customer relationship folks. Simple decisions like “where do we put this server” to “Do I abdicate my data protection obligations when the customer makes xyz request” are presented and supported from a compliance perspective rather than from a thoughtful, risk-based reasoned approach. (If you are playing at home, the answers are “In the server room, not on the production floor” and “no”.) The customer wants it done, and cost drives the solution. Can we “get by” with a compliant (but risky) solution, or do we go with a secure and lower-risk one? (I’ll take “B” for $25k)
I’m sure that there are many companies which believe that, because they have a ROC and show off their AOC, have narrowly-scoped SSAE 16 reports, or ISO 27001 certifications that they can call it a day. That’s it (that’s enough, right?).
Already this year, there have been seven reports of breaches or other unauthorized disclosures of personal information reported (http://www.privacyrights.org/data-breach/new). Of the seven, five were medical providers, one was a retail merchant, and one was a futures broker.
The broker was the victim of a hacker who stole names, Social Security numbers, addresses, dates of birth, range of net worth and income, bank names, passwords, and email addresses by exploiting a vulnerability in a web application. They deal with data from across the world including Great Britain, so they must have been compliant from the EU DPD at the very least. But secure? Their web app certainly was not. Could it have been a zero day that was exploited? Possibly, there is not enough to tell. My money is on a web application that was not built with security and not tested afterwards.
How about the medical providers? One lost a portable hard drive with over 19,000 records on it. Doesn’t HIPAA/HiTECH require encryption? I imagine that they take credit cards in payment. PCI sure cares about removable storage. They may have passed compliance audits but their practices seem to not be secure.
Every day on the job, I work to move us past thinking of ourselves as “compliant” to thinking of ourselves as “secure”. I’m sure that I am not the first person to have this thought, but I find myself saying it more and more: “That you are compliant does not necessarily also mean that you are secure, but it is likely that if you are secure, you will also be compliant.”