TheSupe87 - Fotolia

Manage Learn to apply best practices and optimize your operations.

Compliance standards create false sense of cybersecurity awareness

Organizations increasingly cater security controls to compliance standards, but doing so could leave critical data and other assets vulnerable.

Compliance has become a part of doing business, with information governance, risk management and security controls all playing a key role in adhering to regulatory standards. But it's important to remember that risk assessment, compliance and cybersecurity awareness are interconnected pieces of the security puzzle, and neglecting any one of these aspects could lead to a total system failure.

Failure to conduct a proper risk assessment, combined with basing security and safety on a compliance checklist, may have been a key factor leading to the 2010 BP oil spill in the Gulf of Mexico. A lack of awareness and training was found to be a contributing cause of the spill, with Federal District Court Judge Carl Barbier suggesting that BP's "crews lacked training about the proper use of diverters that should have directed dangerous hydrocarbons away from the rig" that exploded. Jeff Ruch, executive director of Public Employees for Environmental Responsibility, claimed the BP safety inspectors "just made sure the companies checked the right boxes" to remain regulatory compliant. 

As the BP spill shows, relying solely on security controls stipulated by compliance standards can actually end up making organizations' networks less secure. It can also create over-confidence in the security of the information systems: Risk compensation is a theory that examines perceived levels of risk and how people or organizations adapt their behavior according to those risks. People and organizations usually become more careful when there is greater risk awareness, and more relaxed and less careful if they feel safe and protected.

For example, there have been studies that have shown the effects of wearing seatbelts can lead to driving faster. Similarly, organizations that rely on a compliance template for security often neglect thorough risk assessments and cybersecurity awareness training. A reduction in safety when relying on a regulated security mechanism is sometimes referred to as the Peltzman effect, which suggests that strict regulation can be counterproductive and can actually make things less safe. 

One pixel Education, awareness key to cybersecurity
and data protection

Similarly, compliance standards such as the ones found in NIST SP 800-53 enumerate many security controls. They may, however, inadvertently reduce overall security benefits to an organization's network if they are too rigidly adhered to. For example,  the NIST SP 800-53 Rev. 4 states that "the security controls and control enhancements listed in the initial baselines are not a minimum, but rather a proposed starting point from which controls and controls enhancements may be removed or added."

This should indicate to any security analyst that these controls are meant to be tailored by the organization using them in order to align to their own specific security requirements. This isn't always easy: Tailoring controls to meet specific security requirements requires risk assessments that consider numerous factors, such as who the users are, the company's unique threats, and its data vulnerabilities.

The Stuxnet worm that crippled Iran's nuclear program is another example of compliance not equaling security. Industrial equipment such as its PLCs (programmable logic controllers) were probably compliant with international standards, but there was clearly some sort of security lapse that allowed the Stuxnet worm into the SCADA systems of their nuclear enrichment machinery.

The Target breach is a third example of organizational compliance leading to an overall complacency in security. Target cardholder information was accessed via a third-party refrigeration contractor. Neglecting to conduct a thorough risk assessment and cybersecurity awareness training for Target's third-party vendors may have helped the breach occur.

Being compliant is obviously not a bad thing, but relying solely on compliance for security can certainly become a problem. Standards like those provided by NIST SP 800-53 can act as a baseline by presenting rules and stressing compliance, but risk assessments must be used to pursue recommendations on how to further secure the organization's network. Risk assessments identify the assets that need to be protected, prioritize them and help apply reasonable security measures. This will help both mitigate security vulnerabilities while still meeting compliance specifications.

The most thorough and realistic risk assessment incorporates identification and prioritization. Risk identification determines the threat the risk poses to company assets, while prioritization determines the potential damage each individual risk may cause. U.S. government organizations use NIST standards and recommendations, which are arranged into nine primary risk assessment steps in the NIST SP800-30 Risk Management Guide for Information Technology Systems.

It is important to note that while compliance has become a big part of doing business, companies can't cut corners and assume following regulations will equal security. Risk management tools such as vulnerability scans or penetration testing will always be needed to help determine other security holes that need to be addressed. Ultimately, a combination of compliance standards, risk assessments and cybersecurity awareness is the key to reducing regulatory complications and improving security.

Daniel Allen is a Research Fellow at the Center for Climate and Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks. He is also President of N2 Cyber Security Consultants, LLC, and has worked as a Research Scientist for the Naval Health Research Center/ Medical Resource Planning, is a U.S. Army/Desert Storm veteran and a high school science and climatology instructor. He holds a Master's Degree in Cyber Security and Information Assurance from National University, designated by the National Security Agency and the Department of Homeland Security as a "National Center of Academic Excellence in Information Assurance Education."

Next Steps

More on compliance and security

Basic communication essential to ensure cybersecurity

Fundamental controls key to online threat protection

Dig Deeper on Regulatory compliance reporting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization ensure it is creating the right balance between effective security controls and adhering to compliance standards?
At the moment, nothing much has been done to create such a balance, but learning from several case studies, I have noted that many organizations focus on hardening security controls and forget the provision of risk-based training for staff members. Though compliance may have been met, the ability of staff members to handle misgivings pertaining to security is important. This ensures that employees are capable of acting on threats that could shake the organization's stability.
Such a great point! Being a business owner myself, I completely understand the expedient desire to meet burdensome government and industry compliance regulations and be done with it. But information security is not a one-time deal that you just set and forget. The scary thing is how often I see money being wasted on senseless security controls that merely serve to create a false sense of security (or should I say compliance). Either way, nothing very productive is getting done other than appeasing management and perhaps some not so sharp auditors.
Absolutely Kevin - companies definitely need to find that right balance between compliance and security. The two departments can definitely help each other out and consolidate some processes, but being compliant doesn't mean the company is secure, and vice versa.