Let's agree on a definition of the term “security” and move forward from there, says AT&T's Chris Mark.
While used every day, the term “security” can be deceptively difficult to define and may contain various meanings to different people in divergent contexts. The industry at large seems to have adopted a stance of “I know it when I see it,” as opposed to objectively defining the concept. Unfortunately, this creates numerous problems for those who have a need to ‘secure' data, or any other asset.
For more than two decades, I have served in a number of security functions, and have found it curious that in each industry or domain few, if any, people were able to provide a clear definition of the term ‘security'. Many could describe the concept and list characteristics, but nobody could provide an actual definition that could be used to objectively measure whether a building, system, person, or other asset was or was not secure.
Recently, I conducted a survey of security professionals from a number of domains and asked them to each define the term ‘security'. Responses ranged from personal, private or public protection to being prepared to lessen or eliminate the effect of unwanted events, and providing defense for a target of high value against aggressors. Yet, despite possessing identical security certifications and training, no two respondents provided the same definition of the term.
This subjective context-dependent approach to security creates confusion and, more profoundly, creates liability for those operating under different definitions. Companies are often legally required to ensure their systems are ‘secure'. Within the Payment Card Industry (PCI) DSS, the term is used multiple times. Without an objective denotation of the term, it is difficult to make an argument stating that a company is or is not secure – until there's a data breach. In the aftermath, it's not uncommon for pundits to proclaim an organization or system was ‘not secure'. These same pundits, however, would likely never be willing to state that a company was ‘secure' before the breach. Under this condition, the key determinant for establishing whether a company is ‘secure' is whether or not they have been breached. This is a form of logic known as ‘classical negation'. Simply, “I can only define the term by telling you what it is not.”
The end result of not being able to define security is that all industries are left with little choice but to establish regulation and compliance mandates or recommendations. While it is not possible to state definitively that a company is ‘secure' without an objective definition, it is possible to state whether a company is or is not compliant with a given standard.
So, is compliance the same as security? The answer is a qualified ‘no,' but in the absence of an accepted definition it is the closest that we can get. The answer is qualified because the PCI DSS and other regulatory measures represent controls that are generally considered to represent best practices, but they are not the final statement on security. They cannot represent the final statement because controls should commensurate with the risk posed to the assets being protected. Compliance programs merely include controls that are considered by the relevant regulatory body to represent the minimum requirements to which a company should adhere given the risk to data.
However, static compliance programs cannot account for the real-time behavior of a determined advisory. For this reason, compliance with any program should be a starting and not an end point. Companies should pursue compliance with the understanding that additional measures will likely be required, depending on their own definition of security.
Chris Mark is PCI compliance practice lead at AT&T Security Consulting.