IT systems pervade enterprises. Systems are increasingly complex; enterprises constantly seek more rapid deployments. And enterprises are increasing the volume and diversity of the data collected and analyzed. All of these factors mean that enterprises cannot rely on a small set of steps to safeguard its operations. Well established security frameworks such as PCI, HIPAA, ISO 27002 or even newer frameworks such as the CSA’s CCM don’t look at a narrow range of controls, instead they cover a wide range of controls. However, simply adopting a security framework does not make an Enterprise secure. Just look at the number of companies that have gone through a PCI DSS compliance program only to suffer a breach a short time later.
A key step is creating a corporate culture that cares about security.
In April 2007, Jason Spaltro, then executive director of information security at Sony Pictures Entertainment and now the senior vice president of information security, was featured in an article published by CIO magazine titled “Good Enough Compliance.” The lead into the article says, “Noncompliance is a fact of life as the list of security and privacy regulations grows. The key is knowing how to comply just enough so that you don’t waste your time or bankrupt your company.”
The article discussed Spaltro’s experience during a Sarbanes-Oxley audit. The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls. One of the findings indicated the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns.
The article discloses that Spaltro argued against requirements to use complex passwords and the auditor eventually agreed not to note the use of “weak passwords” as a finding and Sox failure.
Clearly, Sony had a compliance program in place, and it certainly had the financial resources to implement the latest security technologies, but it suffered one of the most publicized breaches in history.
A fundamental problem is that simply implementing a compliance program does not change the corporate culture. If security is not part of the corporate culture, adopting new policies and deploying new technologies to achieve compliance may be counter productive. Instead, the rest of enterprise may view IT as an obstacle and seek unapproved methods to get their work done.
If we look back to the 1980s, this is how the PC made an entry in large corporations. Business units were frustrated with the timelines dictated by IT staffs dominated by mainframe programmers. Individual business units could suddenly afford to purchase their own computing resources and try things at their own pace. We see a similar phenomenon with rapid adoption of cloud technologies and BYOD strategies at many companies in recent years. Business units may be finding faster lower cost methods of doing business, but too often they are radically changing the security landscape and creating new, poorly understood risks.
However, when we look at enterprises where security is part of the corporate culture, introductions of new technologies is much better managed. Consider an enterprise where security is part of the culture. In adopting BYOD such an enterprise will have human resources focusing on how accessing or responding to work email will impact the status of non-exempt employees. Audit teams will focus on assuring regulations are being followed and enforced. Legal will focus on the protection of confidential material and how to address the subpoena of a personal device. And IT can focus on managing configurations, integration, monitoring, metrics, and support.
Following a security framework in an enterprise that doesn’t have a culture of security will likely lead to tensions and unnecessary spending on technology that is under utilized. But using a security framework as a guideline or roadmap in an enterprise that has a strong culture of security can lead to efficiencies because the enterprise is leveraging the knowledge and experience of organizations from around the world. Such an enterprise is much more likely to adopt new technologies much more efficiently and more cost effectively.