Home / Blogs

If Compliance Were an Olympic Sport

Gunter Ollmann

It probably won't raise any eyebrows to know that for practically every penetration tester, security researcher, or would-be hacker I know, nothing is more likely to make their eyes glaze over and send them to sleep faster than a discussion on Governance, Risk, and Compliance (i.e. GRC); yet the dreaded "C-word" (Compliance) is a core tenet of modern enterprise security practice.



Compliance

Security professionals that come from an "attacker" background often find that their contention with Compliance is that it represents the lowest hurdle — with some vehemently arguing that too many security standards appear to be developed by committee and only reach fruition through consensus on the minimum criteria. Meanwhile, there is continuous pressure for businesses to master their information system security practices and reach an acceptable compliance state.

Compliance, against public standards, has been the norm for the majority of brand-name businesses for over a decade now, and there's been a general pull-through elevation of security performance (or should that be appreciation?) for other businesses riding the coat-tails of the big brands. But is it enough?

Olympic Games

When I think of big businesses competing against each other in any industry vertical sector, I tend to draw parallels with international sporting events — particularly the Olympic Games. In my mind, each industry vertical is analogous to a different sporting event. Just as athletes may specialise in the marathon or the javelin, businesses may specialise in financial services or vehicle assembly,with each vertical — each sport — requiring a different level of specialisation and training.

While professional athletes may target the Olympic Games as the ultimate expression of their career, they must first navigate their way through the ranks and win at local events and races. In order to achieve success they must, of course, also train relentlessly. And, as a former sporting coach of mine used to say, "the harder you train, the easier you'll succeed."

Be prepared

I see compliance as a training function for businesses. Being fully compliant is like spending three hours a day running circuits around the track in preparation for being a marathon runner. Compliance with a security policy or standard isn't about winning the race, it's about making sure you're prepared and are ready to run the race when its time to do so.

That said, not all compliance policies or standards are equal. For example, I only half-heartedly jest when I say that PCI compliance is the sporting equivalent of being able to tie your shoe-laces. Although it's not much in the grand scheme of security, and while it's not going to help you win any races, it's one less thing to trip you up.

Best Practice

If compliance standards represent the various training regimes that an organisation could choose to follow, then "best practices" may as well be interpreted as the hiring of a professional coach; for it's the coach's responsibility to optimise the training, review the latest intelligence and scientific breakthroughs, and to push the athlete on to ever greater success.

In the world of information security, striving to meet (and exceed) industry best practices allows an organisation to counter a much broader range of attacks, to be better prepared for more sophisticated threats and to be more successful and efficient when recovering from the unexpected. It's like elevating your sporting preparedness from limping in to 64th place in the local high school 5k run due to a cramp in your left leg, to being fit and able to represent your country at the Olympic Games.

My advice to organisations that don't want to find themselves listed in some future breach report, or to watch their customers migrate to competitors because of yet another embarrassing security incident, or trip over their untied shoe-laces, is to move beyond the C-word and adopt best practices. Constant commitment and adherence to best security practices goes a long way to removing unnecessary risk from a business.

However, take caution. "Best practice" in security isn't a static goal. The coach's playbook is always developing. As the threat landscape evolves and a litany of new technologies allow you to interface and interact with clients and customers in novel and productive ways, best practices in security will also evolve and improve over time as new exercises and techniquesare added to the roster.

Improve the roster and develop the playbook and you're sure beat those looming threats and push your business and customer service through the finish line.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft
Follow CircleID on
Related topics: Cybersecurity
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Brand Protection

Sponsored byAppDetex

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign