From Sarbanes-Oxley to HIPAA to PCI/DSS, chances are your company is subject to myriad compliance requirements. And although the goals of such regulations are noble, the chunk taken out of your security budget to uphold them is considerable, in some cases precluding stronger, more tangible computer security protections. In other words, by spending heavily on the letter of the law, you may, in fact, be putting your organization at risk.
Stephen Northcutt, director of the SANS Institute, agrees that IT’s ongoing emphasis on compliance may be worth reconsidering. “It’s an audit mentality, not a security mentality,” Northcutt says. “It’s, ‘Let’s do everything we can to meet a checklist of audit requirements that in the end do not guarantee or measure real security.’ The audit requirements and regulations are generally too broad, with gaps and overlaps. And when the first audit is over, the team switches into another, entirely different mode to satisfy the next audit, which requires different objectives.”
Most companies fall under multiple regulatory laws with overly broad descriptions of what is secure. Whether you pass or fail a particular audit requirement is up to the discretion of external auditors. Not surprisingly, pleasing auditors often has little to do with sound security practice.
“The first auditor said we had to use passwords with a minimum of six characters. Another said passwords had to be eight characters and complex,” a bank IT director says. “One cared about account lockout mechanisms. The other didn’t. Neither asked about all the other factors that impact overall password security. … And if you read the actual regulations, they don’t specify a particular number of password characters. They just say passwords need to be secure. That’s it.”
Robert W. Hodges, information security officer at Bon Secours Health Systems, says, “When we get two conflicting or overlapping regulations, we play it safe and take the most conservative, secure approach. That way it satisfies both requirements.”
But always taking the most conservative approach means higher spending — in many cases, more than is necessary from an overall security perspective. Regulatory clarification would help. Discretionary guidelines are often given specific answers in court. But with regulations showing more bark than bite despite the fact that most organizations are not fully compliant, you have to wonder where to draw the line when financing compliance efforts. After all, continually redirecting vast amounts of IT dollars and attention away from other practical security projects in order to remain compliant could prove considerably more costly down the line.
Your only solution, however, may be to hold your nose as you overspend. As Hodges puts it, “Who wants to risk their company being the defendant when the government decides to make a test-case example?”