Security and compliance go hand in hand. When a primarily compliance-driven focus is adopted, however, there are consequences, and organizations become dangerously exposed to security blind spots. The good news is that there has never been a better time to consider how innovations in security are making it easier to reduce these blind spots.
Without layered security coverage -- one weak control provides an open door to the vault
Today it is better to practice holistic security that provides a good distance between sensitive data and opportunities for the data to be compromised. While compliance requires segmentation and focus, it doesn't offer an approach for the longevity of your business. Without layered and comprehensive security, you are in danger of one weak control or human error providing an open-door right into the vault where you keep sensitive data. The various security layers are evolving, moving from point-in-time trust models to continuously adaptive engines. For instance:
- Machine learning and up-to-the-moment context from multiple sources is replacing manually-configured static rules.
- Endpoint detection and response (EDR) is changing the stakes for the security of your organization’s most vulnerable target -- your end-user-facing systems. Each system is now continually monitored for ransomware, file-less attacks, phishing, and can even self-quarantine to quickly minimize the spread of exposure.
- Continuous behavioral monitoring and analytics to proactively detect and respond to modern threats that can morph and mimic user activities provide greater coverage than compliance required anti-virus.
Compliance standards can’t keep pace to thieves’ automated tools and tactics
Compliance standards will never be able to keep up with the evolving threat landscape. Compliance provides a directional foundation, like a roadmap, but there are many kinds of road hazards you will not be able to know in advance. Thieves exploit vulnerabilities within days of finding them, and vendors often don’t have a security patch available. There are no guides for changing behavioral malware or social-engineered threat tactics.
The best security experts are touting the benefits of machine learning to analyze volumes of security data and find the subtle signals of security incidents. No human team can provide this level of coverage. The challenge is to validate and react to these signals appropriately. The Target breach by its third-party HVAC vendor was preceded by multiple warnings that were dismissed without proper investigation. Security management has to occur 24/7/365 to address these anomalies because attackers have automation and malware-as-a-service on their side.
Compliance is limiting -- it doesn’t provide immediate data-informed security help
What happens when something is detected? Can you identify scope and impact, and take action in minutes? Fast reaction time, with the right actions, is critical. With thousands of alerts a day from just one firewall, it’s easy to miss warning signals of threats in action. Being prepared means training across the organization to create a culture of shared security responsibility, and having security leadership that can provide decisive action when it matters. You can't get through life without a few cuts, but prompt first aid can make a world of difference so that minor issues do not become out of control incidents.
Security orchestration, automation, and response (SOAR) is an approach where the layered security technologies allow an organization to identify threats from multiple perspectives. The long-term benefit occurs when automated responses to low-level security events are automated. Industries and government agencies with highly classified or sensitive data now allow automated disconnection from network data stores and isolation of systems when critical threats are detected.
Security is unique to your business -- there is no off-the-shelf manual
Compliance provides instructions, but do not mistake it for a comprehensive security manual. A compliance-driven strategy is concerned with checking all of the right boxes. Cyber risk is becoming a core business risk that requires continuous monitoring and learning, and employment of innovation as a differentiator. If you expect to be in business for the long haul, you should be having regular third-party security assessments to validate your controls and working with the testing team to understand the findings. This is the quickest way to prioritize gaps in data protection and security in a way that is personalized for your business. Once innovative security approaches are adopted, additional benefits will emerge beyond core adaptive security and threat detection. For instance, you will be able to map patterns of user interaction with systems, data, and applications, as well as with vendors and network-connected third parties. You will have deeper insights into your digital business patterns and up-to-the-minute risks that can be used to make more informed decisions.
Adopting a primarily compliance-driven strategy is like looking at threats in the rear-view mirror, with employees reviewing past log data and changes in security device configurations. Adaptive security can be your near-real-time radar with continuous monitoring, machine learning, and orchestration. Everyday threats are closer than you think. You can make a big difference to the risk faced by your organization if you start now to raise the profile of your security strategy and prepare to take real-time action as needed.
Brian McManamon is the CEO & President of TECH LOCK, a RevSpring Company, and member of the iA Innovation Council. TECH LOCK provides managed security and compliance services for businesses by orchestrating best-of-breed security solutions into a comprehensive security platform, enabling companies to navigate complex regulatory and compliance requirements with a security-centric approach.