Security Compliance does not equal Security

Efforts to address and maintain industry compliance and regulatory mandates for your organization are a great first step on the road to security.  The list of standards are long and there is no shortage of complications and effort in arriving at a compliance stage.  Among these standards are well-known names such as HIPAA, PCI-DSS, ARRA, HITECH, FFIEC, JCAHO, GLBA, SEC and the list goes on.  Depending on the organization, they may adhere to one, a few, or several such compliance standards.  Compliance has become an extremely time consuming task for many organizations, creating a scenario where significant resources across the organization are dedicated to the various tasks.  In order to tackle these challenges, a driven, clear mission and supporting strategies are required on several levels in order to not only come into compliance, but protect assets, and keep capital and operating costs within check.   With all of these elements and the posture they provide to an organization, a contentious reality arises in that despite all these efforts, security compliance is a noble, but futile diversion to security practice and really just one component to the overall security picture.  Compliance can create a false sense of security that seemingly tells people that all systems are fully protected, but this is far from the truth.

Compliance in general is comprised of a standard set of steps and process that lets an organization arrive at a certain predetermined state that can be reviewed, followed, and allows for encapsulation into business processes.  One problem with that is that new Internet threats and attack techniques emerge daily. Relentless cybercriminals seek to attack websites, networks, databases, applications and end users.  The threat is increasing daily as these types of incidents turn up in the news and the sophistication is also on the rise.

Efforts to maintain within compliance serve to minimize risk to an organization on the side of penalties for missing components of the various standards.  Even after all compliance efforts are employed, the underlying truth is that a typical malicious hacker has numerous ways to compromise a target across many means that are likely not addressed by compliance standards.  Compliance won’t necessarily protect you from the bad guys, but may at best provide procedure to discover what may have happened after a compromise.  Add to this the fact that sometimes, if not most times, intrusions come from within an organization, things like mishandling of data, lax security practices from a third party provider, rogue employees and other threats; these types of incidents can be very difficult to identify and investigate.

Healthcare scenario

In the following video, Eddie Mize, the CISO of a major healthcare organization, Exempla SCL Health, makes a striking case for extended security practices well beyond compliance. The world of healthcare is one of the most difficult realms of compliance already, coming under the focus of HIPAA, PCI-DSS, JCAHO, ARRA, amongst several other regulations and compliance standards. The body of users within these organizations often roam from hospital to hospital, creating more challenging situations than typical.  In fact, health care organizations typically have little real information on electronic medical records access, and very little ability to effectively audit across numerous systems and programs.

Struggling as many organizations can with budgetary concerns, weak security mandates, lack of leadership support, an evolving and technologically demanding user base, in contrast to the very real financial risk healthcare organizations face in the event of a breach or significant compliance penalties puts those organizations in a very perilous security position.  In the video Mize addresses various security constructs that fall outside of the standard compliance and present significant and very real security threats to healthcare in specific.  Mize also illustrates a number of true situations where a compliant organization was discovered to have some very serious abrogated security.  In these often comical situations, the seriousness of what is vulnerable should not be lost.  Organizations have a responsibility to secure not only their own information, but they also have a responsibility to secure information of those who cannot do so for themselves, in this case it is that of the patients.  Personal Health Information, also known as PHI is a massive privacy and protection issue that is of critical importance for protection, security, and privacy.


When thinking of security beyond the realm of compliance, there is no consistent model to follow, but rather a series of approaches to getting to the most secure state.  Every organization can and should approach security individually to suit to their own needs and realities of available resources.

A number of steps can be vital in developing a security plan for an organization.  Offered as food for thought, the following illustrate some of those thoughts that can lead to better security, in light of today’s technology and revolving threats:


A vigilant, whole approach to security should be adopted to deal with the sum of these threats.  Starting with the basics, such as launching a thorough risk-based assessment that reflects on the critical information your organization is trying to protect.  Review the lifecycle of this data, and be sure to have an accurate inventory of data in all aspects of client workflow.  Identify incidents where the information is therefore secured and produce a gap analysis.   Entities need to have both technical controls and business processes for controlling access to protected data.

New Technology

Implement appropriate technology to meet the challenges.  Traditional perimeter security products are only a starting point.  Expand the scope of technology to accommodate the evolving technology base.  Mobile devices are constantly emerging and changing the landscape.  Elements like encryption, application control, network security take on a whole new level in light of these and other devices.  The audience is demanding more functionality, adding to the challenge.  It is a delicate balance to enable users and secure this at the same time.

Data Loss Prevention, intuitive logging, and other technology products offer a great deal of benefit and security within the company data center.


Train people on what it means to be secure.  The weak link in security is often people.  Social engineering can divulge huge amounts of exploitable information.  It is also important to educate personnel on what computer assets need protection.  Minimizing breaches from personnel can mean significant gains in overall security posture and that starts with excellent education planning, constant communication in addition to evolved security structures.

Security Champion

Security is not cheap and it is not easy.  Every organization needs a security advocate at a meaningful level within the ranks in order to achieve significant success.

Executive leadership with a strong mandate has the ability to recognize which security efforts will provide the best value to the organization and follow through on those.  Budget and effective communications are powerful drivers that can strengthen the security posture of the organization.  Security is not a direct profit center for a business, so this can be a challenge, but turning focus to the best possible security provides aversion to risk that every organization has a responsibility to protect.

Regulatory Fines/enforcement

Without fines and enforcement from appropriate bodies, then the incentive to practice security may see diminished effort.  This is the reason why there are auditors that routinely review and report on compliance and violations.  In one example, recent HIPAA violations have started to result in substantive financial penalties in the healthcare space.  Incidents like these are important and create real financial risk that should not be ignored.

Early detection

Make a plan for breach detection.  Failure to detect breaches under some regulations can amount in significant penalties that can scale into millions of dollars from just a single incident.  Methods of dealing with this include vigilance in technology, monitoring, auditing and the occasional review of protected information for inconsistent attributes.


Establish process and execute consistency in performing the necessary tasks of reviewing intrusion prevention system logs and downloading patches regularly.  Far too great of a number of the most recent attacks to hit the news have been launched against well-known, and long-ago patched vulnerabilities on standard technology platforms.  On the list of deficiently patched technology are everyday technologies like routers, switches, web server applications, Operating systems, database problems and so on.  A diligent plan reviews these platforms consistently for vulnerabilities and misconfigurations, that is – applying the security concept of most limited access to strictly the most required information.


Staying in touch with emerging threats and countermeasures is a critical tool in a proactive security practice.  With attention to the intelligence gleaned from multiple sources throughout the world and amongst corporate entities, this can provide an organization with effective knowledge that can optimize the reaction to these threats.  This way when an anomaly or emerging threat is detected from one of these sources, counter-measures can be developed, evaluated and enabled to protect the organization.

Keep it real

It can be a monumental task to deal with the whole of potential security threats.  Know that if you are a target of a determined talented hacker, there is probably no stopping the fact that they will get in.  In reality, the majority of hackers want easy targets and a well-developed plan will make you one of the harder targets.

Manage the real, not theoretical risks to the business, comply with regulatory guidelines and mandates, and align with industry best practices.

Show Off

Be willing to take credit for your efforts. Again, this is not a profit center, so be ready to demonstrate your security effectiveness to executives, auditors and examiners.  Get the security message sent to the organization for the best of success.


, ,