Dont Let Data Drive Your Compliance Efforts

  /     /     /  
Publicated : 22/11/2024   Category : security


Dont Let Data Drive Your Compliance Efforts


Compliance continues to be a driver for many security programs, but not necessarily for the right reason, says former NSA analyst and current Accuvant GRC guru Doug Landoll in an interview at the RSA Conference



Last week Dark Reading had a chance to catch up with governance, risk, and compliance (GRC) expert Doug Landoll at the RSA Conference to talk about trends hes seeing from customers, partners, and prospects as they navigate new challenges in 2012. A former analyst at the NSA and a longtime consultant currently acting as a security architect for Accuvant, Landoll is the author of
The Security Risk Assessment Handbook
.
DR:
From the compliance side of the house, what are you hearing from prospects and customers at the show?
Landoll:
In compliance, Im seeing a couple of different things. It continues to be a driver for a lot of security programs in that its one of the first things that C-levels see necessary for funding security. We wish it would be the other way around. We wish it would be protection of business assets. But it can be used to motivate and develop a secure security program no matter what the driver is because Ive yet to see a compliance regulation that tells you to do something stupid.
It may not give you clear guidance, and sometimes you look for better interpretations, but at the end of the day, we want stronger passwords and patched systems. These are good things, not bad things. Ill take those as drivers. The other thing Im seeing is a lot of security programs that have already gotten over that hump. The organization has hired a real CISO; what I mean by real is that they dont report inside of IT -- and theyve implemented their security operations.
The tougher thing is the governance piece because business units are used to standing on their own. And there are big functions within the organizations that drive those different business units, like finance, but theyre not used to being driven by outside requirements, like security. So thats where the CISO needs to take that leadership and be in an environment acceptable of that leadership.
DR:
How do you advise your clients to fill that governance leadership gap?
Landoll:
If theres a CISO in place, I want to make them successful. I want to help them navigate that management and political atmosphere because you can think of politics as a four-letter word, but its a job description. Youve got to understand it and utilize it.
One of the ways we help them do that is to help them set up governance. So what other business units need to be involved in making these decisions and monitoring policy exceptions and accepting the risk -- and that sort of stuff. We help them come up with an overall plan that accounts for all the business units, and really starting from business objectives and not IT objectives. You dont start off saying, Heres my security plan. I need to secure the database, and I need to make sure that hackers cant get in, etc. Thats a bottom-up. What you really need to start off with is, I need to understand from the business how we make money; therefore, what are my sensitive assets, what are my critical systems, and then whats the need?
Because you can talk in general that we need to protect them, but you need to get more specific, like, How soon do you need to bring this system back up if it comes down? and, Are you going to pursue an investigation and spend money to find out who the hacker was?
In some organizations its a yes, and in some its a no. But youve got to figure that out.
DR:
Do you have some tips for our readers about how to start that process of asking the right questions?
Landoll:
I would say, in general, align your objectives. Find out what makes your boss successful and then align yourself the same way.
You can even start by uncovering some objectives they might not know they have. For example, in a recent engagement where I was helping set up IT governance, one of the questions I asked all the business units was, Are you aware of all the policy exceptions that have been granted in the organization?
At first theyd say yes and Id say, Well, how would you find those? And theyd say, Well, Id have to go through my email. So youre not really tracking them. Youre aware of the decision when it was made, but you couldnt say, I granted an exception, Im giving it six months, then Im revisiting it.
So you want to control exceptions because youve set a policy and you need to know what you need to get into place to get everyone aligned with it. So educate them so that they can articulate their objectives and then align yourself. Start giving them their reports and say, Hre are all the ones youve granted. Here are some compensating controls that you can put in place for those. Dont just grant them. Put something else in place.
DR:
Have you seen any interesting GRC plays on the show floor?
Landoll:
Theres a lot of point solutions out there. Im not a big fan of point solutions. Youre going to have to have them when you need them as things are evolving, like mobile devices and mobile management. Thats going to be a point for now. But I dont get driven in my security program development by technology. Thats the wrong way. You need to think about your security program, then see what technology is out there. If its not there, put in procedures.
DR:
Where do you think the biggest GRC gaps exist technology-wise?
Landoll:
One thing is affordability of GRC tools. That needs to get affordable. I think people need them. It is tough to manage all those regulations, to set your policies, your objectives, and to roll up some kind of enterprise risk that managers can drill back down. Everybody needs this.
DR:
And its so complicated they usually need to hire someone like you, right?
Landoll:
Sometimes, and sometimes not. Its never going to be the point where real small businesses are going to hire people like us. But they need a solution, too. It should be the businesses that have complex business environments, new requirements, that sort of thing. Theyre the ones that need to hire consultants. But if youre doing what everyone else is doing, there should be some products or some easier solutions out there for you. I dont know that its simple yet. Its still some heavy lifting. Dont get me wrong -- people need these tools, absolutely. But its a big decision for them. And they need to find the budget right now.
DR:
Not to mention there are so many moving parts to contend with.
Landoll:
Im really pleased with the way the tools themselves bring them together. I like the way they bring those moving parts together. Id like to see it in the hands of more organizations instead of just the enterprise. I think its moving into the medium business, and Id encourage that. The more we can bring that there, the easier my job is.
DR:
One of the buzzwords du jour of the show is big data. What does big data mean for security, compliance, and monitoring
Landoll:
I think big data is such an amorphous term; it has no meaning to me right now. I dont know what someones talking about when theyre talking about that. Its something around the consolidation and use of data. But Im not a big fan of letting data drive you. Weve seen that with IDS systems, SIEM systems, etc., saying Weve got all this data, lets make a chart and try to figure out what it tells us.
Dont let the data drive you.
What you should be doing is saying, Heres the business problem I need to solve, the element of my business I need to manage, and then think about what data you need to manage that. And youll find out if its already being produced. Chances are, its being produced already or its really easy to get. And then theres going to be a whole bunch of data out there thats superfluous, and youre wasting your time tracking it.
DR:
It does seem like a lot of times security monitoring drives the clients compliance and risk programs rather than the other way around.
Landoll:
Yeah, I think so. If you break down the compliance requirements in a PCI or a HIPAA, its clear theres some technology requirements, in which case Id love to have some data, but theres a ton of requirements that are outside of it. Whens the last time you saw somebodys security dashboard include security awareness training? Or policy updates? Or anything along those lines. Thats a requirement in HIPAA just like everything else.
Furthermore, the security dashboard probably includes a lot of things that arent a HIPAA requirement.
So what are we doing here? Were letting the data drive us. Thats the wrong way.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dont Let Data Drive Your Compliance Efforts