RealSecurity

There are basically two fundamental approaches to security: do what you have to do, and do what you need or want to do. These are not mutually exclusive and you find many scenarios where these are mixed. However, this does not mean there are not companies that simply do only what they have to and in these cases it resonates with a minimalistic approach, which many refer to as the “checkbox” approach. On the other end of the spectrum are organizations that implement security because they need or want to in order to reach a level of assurance that is supportive of the business or organizational mission.

To elaborate, take a typical merchant that is affected by PCI. Prior to PCI there was little – if any – requirements mandating information security practices of card processing. With PCI in place they are now faced with requirements or suffer the consequences. Some approach this in a checkbox manner. PCI says I must do this, I do it, check… next. If PCI doesn’t require it, it won’t get done. On the other end is the DoD and things such as FISMA and DIACAP. Everything required is to ensure the mission and failure of mission systems (specifically MAC I and MAC II) represent an unacceptable impact to the mission. This is an example where an organization needs and wants security to complete an objective, or protect the information processing assets that are used to facilitate the mission.

Although FISMA, or DoDI 8500.2, etc. appear as regulation – and they are – it is the result of governance and mission management. In other words, it is self-imposed based on reasoning to their existence, and effective existence. This is completely opposite of the merchant example. A merchant’s mission is to make money, not spend it on controls that do not produce revenue. Therefore, to ensure the success of the organization and their mission, the DoD drive security, but for a merchant security has very little meaning to the objective and therefore is contrary to business success factors, and as such a cost of doing business. As we all know, businesses want to minimize cost, therefore a minimalistic approach is preordained.

Add this to the fact that laws are naturally minimalistic and you’ll find that companies are now provided the quantifiable and legal minimal limits for operating. This is a dramatic shift and to help see why, let’s have a quick review to summarize.

Before regulations, security was based on organizational culture, interpretations, risk, and valuation. As such companies could choose exactly what security they thought they needed. This was the time of security best practices. Early regulations, like HIPAA and GLBA were effective in raising awareness and general expectations, but were not necessarily specific, which was actually to their favor concerning longevity. Throughout 2006, 7, and 8 there were some high profile attacks leading to substantial litigation that was ultimately based on negligence in security, not necessarily that of non-compliance as the root. During this timeframe, mostly starting in 2001 in California, states learned that they could take the initiative, avoiding slow congressional red tape at the federal level and take things into their own hands. Empowered with more ability to control, combined with the litigious activities that were consuming resources through the burden of proving what is security due diligence relative to security breaches and class actions, states are moving rapidly to create laws defining specific expectations for due diligence to avoid ambiguity in the court of law. Meanwhile, the evolution of security within businesses and organizations have broaden the spectrum between checking the box and doing what is needed or wanted for the business, with more and more moving to a checkbox approach to minimize costs. However, prior to emerging state and federal laws, only PCI, among a small few, were setting specifics on requirements. Unfortunately, it wasn’t PCI DSS that was raised as the charge in legality, but again, negligence.

Based on this evolution – states defining minimal requirements to streamline legal processes as more and more companies take a checkbox approach – we may see a debilitating collision between what is required by law and what is really required to protect information assets.

To boil this down, states are looking for a clear, legal delineation of acceptable due diligence to not only protect constituents, but to reduce vagueness in court. Companies are overwhelmed with regulations and growing weary of spending massive amount of money in becoming secure (e.g. compliant) only to be successfully attacked and have that attack present legal implications based on nebulous due diligence.

In the next part we’ll explore all this from the business executive’s point of view and take a look at what is really important. Is it customer retention, brand and valuation, or is it avoiding legal liabilities?