What should you fear the most… hackers and malicious actors, or auditors for that pesky compliance status? On one hand, you have those that will steal sensitive and crucial data for personal gain. On the other, you have a nitpicky consultant that will comb over every detail looking to fail your compliance. It's easy to see that hackers are the worse of the two. But go even deeper, and it is security vs. compliance.
A Tale of Two Brothers
Like two siblings, they each bring something different to the table and must survive dinner without a shouting match. This can be a touchy subject for some and a love/hate relationship for most, but everyone agrees; you need both. By examining two use-case scenarios, including one real situation, let's explain why organizations should invest in both cybersecurity and compliance.
You can be compliant, but that doesn't mean you're secure: The Target story
When the news broke that Target had been breached and millions of credit cards were stolen, customers, as well as company executives, were left asking “how could this happen?” It was a good question, considering that Target had just passed their evaluation for credit-card compliance. This is an annual audit conducted by a qualified consultancy that checks security and procedure on behalf of card brands like American Express, Visa, or Discover.
If the audit passed, how did this happen?
A breach was possible because it wasn't Target in the crosshairs; it was their heating, ventilation and air conditioning (HVAC) vendor. The HVAC vendor was compromised at some point, and the hackers responsible found that this third-party had connectivity to the Target network for billing. From there, it was a matter of time before the hackers explored access and eventually found their way into the Target core network, compromising sales systems across the nation.
“But wait…. shouldn't the expensive, time-consuming compliance audit have caught this?” Not necessarily. A compliance audit is a snapshot in time, intended to examine management and responsibility since the last mandatory audit. Compliance audits also ensure that companies are meeting the compliance standard and enforcing it, which is often the minimum amount of security required to achieve the goal. Also, keep in mind that present-day security compliance standards for credit cards were still in their infancy — the newest version of the standard didn't go into effect until January 2014. Just because you can pass an audit, doesn't mean that you can't or won't drop the ball when the “rubber meets the road.”
We left it where? The tale of the unsecured “bucket”
Once upon a time, data was stored within companies on their own hardware, and it was good. Then, technology leapfrogged as the internet allowed more connectivity and higher transmission speeds to move data back and forth. This brings us to today, where it's possible to store your entire business “in the cloud.” Entire enterprises moving their data out to cloud services sounds great in theory, but the margin of error for mistakes is much narrower. A negligent or complacent security team can sink a company, or at least put them in financial hell as they try to sort out various lawsuits.
Side note: The cloud is just someone else's computer (end of rant)
Once upon a time, a data analytics company called Alteryx was hosting data in the Amazon cloud, providing services to the U.S. Census Bureau and a consumer credit reporting agency named Experian. A California cybersecurity firm, Upguard, found that Alteryx did not abide by the security controls that governed Experian, which resulted in leaking sensitive data for 123 Million US households from an Experian database. Experian had security, but they didn't audit their vendors to ensure policy compliance. Funnily enough, a loss of customer data also occurred in 2015, when Experian reported a data breach to T-Mobile customers, and in 2013, when a Vietnam man purchased Experian data under false pretenses. It seems you can't have one without the other.
So, who is correct?
At the end of the day, who was right? Is security more important than compliance, or is compliance the major focus and security follows?
Both answers are correct. There is no magic “one size fits all” solution for rectifying issues related to cybersecurity and compliance. You still need both brothers to have a successful dinner…err... security program. If it were easy, some of us would be out of a job.
The recommendation is always to contact a service partner who will be able to perform both a compliance gap and a technical control assessment. They will be able to assist in identifying areas of improvement and produce a solution that is custom-tailored to your needs, thus helping your organization grow in cybersecurity and compliance.