For many people in management, if the business is compliant with this law or that regulation, then all is well in IT land. I see businesses all the time -- especially in the health care industry -- that believe that their minimal compliance strategy
Not so fast.
Managing information risk in your enterprise is more than just “compliance” as we know it. It’s extremely easy to fall into the mind-set of “we’re compliant, therefore we’re secure.” If we could step back in time and ask the leaders at any of the organizations on the Chronology of Data Breaches whether or not they were compliant with regulations, I’m confident they’d reply with a resounding “Yes, of course!” A compliance strategy checkbox is one thing, but effectively managing information risk is quite another.
The following are various ways that your business could be compliant, yet still have glaring issues regarding managing information risk:
- Strong passwords are in use, but on closer examination it’s determined that operating system passwords are being shared and SQL injection is present in a critical Web application. This creates accountability issues and can lead to complete compromise of sensitive information, no matter how strong the passwords appear to be.
- Laptop encryption is in place, but only part of the hard drives are encrypted, and users are placing sensitive information outside the protected area.
- Disaster recovery and incident response plans are in place, but the plans are outdated, contain procedures that no longer apply, or overlook critical systems altogether.
These are just a few examples of what I see on a regular basis. The opportunities for oversights and dangerous assumptions surrounding managing information risk and compliance strategy are enormous.
Perhaps more importantly, managing enterprise risk is not just about protecting personally identifiable information (PII). Sure, the media and vendor surveys like to sensationalize it, but PII is only half of the information risk equation. You also have to consider intellectual property. Ask any business executive or board member if he thinks that protecting his organization’s intellectual property is, in theory, just as important as protecting PII, and I suspect you’ll get nothing but yes answers. We’re often focused on protecting PII because that’s where the penalties come into play, but you have to look at the entire picture.
It’s easy to spend all of your time, effort and money on simple “compliance” to please your auditors or legal counsel, but that’s a shortsighted approach that sets the business up for failure long term. Rather than solely relying on compliance status to ward off the numerous threats and vulnerabilities present in your environment, step back and think of your work in terms of managing information risk.
Long-time perspective is especially important in lean times. Combine that with how burdensome “compliance” has become, and it’s easy to end up heading in the wrong direction. Before you know it, your information systems will have become so complex and compliance will have created such a false sense of security that you end up back at square one. Be careful and consider everything … because ultimately everything matters when it comes to risk and compliance.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.
This was first published in September 2011