After spending a week at an amazing Project Honeynet 2010 Annual “Get-together” in Mexico City, I realized that the workshop environment was missing one big thing: nobody ever mentioned COMPLIANCE (!!!). Yes, the pink elephant in the room was …not in the room – no trace of it, not even a whiff of compliant elephant dung.
The discussions covered malware (mostly bots, but also Conficker, of course), malware reversing, attacker behavior, distributed data analysis, intelligence gathering, log analysis (see the class that I gave there) – but not compliance. As a result, my brain got completely drained of all compliancy (and, no, the fact that I had to then fly to give my PCI DSS keynote didn’t stop it from draining).
And then I had A COMPLIANCE EPIPHANY.
You see, compliance has no value. [this would be a good moment to say that this gets a Captain Obvious 2010 award :-)] None! If somebody offers you “ROI for compliance,” just smile and kick them in the nuts. Hard! Then smile again. And if you are feeling generous, do it again! Again!!
Let me rephrase it: regulatory compliance has no intrinsic value. Just as a seatbelt law that fines you $30 for not wearing a seatbelt has no value – in fact, it has a negative value (of -$30) to those fined.
However, the epiphany continues: does the above mean that all the recent “comply-mancing” is in vain?
No, I think that is is needed more than ever!
Imagine the Universe where we, security professionals, possess detailed information on the threats that we face AND on the countermeasures we have – complete with how efficient each countermeasure is against each threat. In this case, doing “risk management” will be trivial: run a list of threats your organization faces, get the desired degree of security (or, “risk”, if you must call it that), then pick the countermeasures which will get you there, starting from the least expensive. Bingo! You are done. If you run out of budget in the process, then go back and reassess the desired degree of security/”risk”. Or negotiate the lower price with the countermeasures provider.
As you are reading the above, you are quickly coming to a realization that such description truly has nothing to do with the world we live in (sorry for NLP mind tricks…)
In our world, threats are of unknown frequency and damage (ALE my ass!), countermeasures are of unknown efficiency and random cost – plus both change all the time. And we don’t even have the formula to plug the unknown and changing numbers in. And we can’t reliably value assets and losses. And we don’t know what is our desired level of security – that was icing on a security cake…yummmm.
So, what are the choices a majority of organizations take? Do nothing. Or do something random. Or do “something cheap.” Securosis folks once called it a market failure in security. Rich’s recent presentation at Secure 360 conference also spoke about the same.
The result? Massive 0wnage, fraud, losses, breaches and other cyber-freaking-war.
Here is where compliance comes in. Compliance is a blunt instrument (a sledgehammer, as I say here) to compel people to do security, auditability, transparency, even responsibility for the losses of others and sometimes even for their own losses, etc.
We live in an intensely interconnected world and if a merchant does not protect the data belonging to an issuer (taking an example from PCI land), we all suffer. If people don’t protect [or remove] such data, we’d have no ecommerce as electronic payment system will eventually crash. No electricity as SCADA systems will [eventually] be hacked. And no healthcare as eventually reliance on computers in healthcare will lead to people being KilledBySoftware (also see Security Predictions 2020)
Can we mandate that people do a good job? No. “Good job” by definition comes from the heart, not from the whip. Is it still worth it? Yes, I think so. In other words, the current onslaught of compliance is a sign that information security is pretty much mainstream. In the future, compliance efforts will help establish a new, higher baseline level will be established – and security battle will shit to levels above it.
Finally, is there any other way to sell security? Yup, FUD. Arghh!!!! You are sooo getting owned if you don’t buy our stuff!!! I happen to think compliance is a better choice than that.
To conclude this passionate epiphany, I have to say, thrice:
If you are “doing compliance” and gain no value of security, you are probably an idiot. Please stop!
If you are “doing compliance” and gain no value of security, you are probably an idiot. Please stop!!
If you are “doing compliance” and gain no value of security, you are probably an idiot. Please stop!!!
Possibly related posts:
- Risk vs Risk
- My Best PCI DSS Presentation EVER!
- Source Boston 2010 Conference Notes and our PCI DSS presentation.