Cyber Compliance is The Enemy of Cyber Security
In a blog posted 9/6/17 “Five Things Business Owners Should Know About Managing Cyber Risk” I wrote “Cyber security is not about a checklist of requirements; it’s managing an organization’s risk to an acceptable level”. In a post last month Jim Kennedy writes that a compliance first approach to cyber security is fundamentally insecure. His reasons:
- Regulatory requirements are typically at least 24 months old when they are implemented, so they are already out of date.
- A compliance only approach provide hackers with a blueprint to attack using security weaknesses not covered by regulations.
- Regulations are open to interpretation and are not business-specific.
While compliance is important it should be subordinate to security. The growth of the Internet of Things means that cyber breaches not only damage or destroy data but are a threat to life and property. In the event of a claim compliance with regulations would be an ineffective defense to testimony that security was inadequate.
Kennedy argues that organizations and regulators need to adopt a “zero trust” mindset. Security should be decoupled from the IT intrastructure to focus on specific user or device vulnerability. Organizations should consider their data assets and applications and determine which users require access to specific assets. By using cryptographic segmentation organizations can ensure that only privleged users have access to sensitive information. Separate encyrption keys make it impossible for hackers to move from one domain or segment into another thus containing a data breach. Only after data is secured should organizations apply compliance requirements.