Is compliance dead in the water or, as a good friend of mine in the industry enjoys reminding me at every turn, is it really the frog in soon-to-be-boiling water? Given the recent high profile breaches attributed to Anonymous and LulzSec, it’s easy to say, quite flatly in fact, that compliance simply isn’t cutting it.
But, does that mean compliance is dead? Not any time soon. Instead, compliance will change. I’ve been harping on this for a while – and some of my Tripwire colleagues know what’s coming here – but the truth is that Information Security compliance programs were born from Information Security in the first place – as an efficiency; a way to ensure that your bases were covered in the same way across your enterprise.
The problem is that the notion of a compliance program has really turned into a bureaucratic mess – we became so obsessed with tracking things, checking things, and covering our collective asses that we (the industry as a whole) forgot about taking risk into account and, perhaps most important, why we had information security compliance programs to being with. How many compliance programs are truly based on risk? I would bet that most aren’t, but I think that’s a subject better left for another post.
The issue at hand now is that compliance folk are probably feeling threatened, and rightly so – the way they do things needs to change. Instead of being caught up in the process of compliance, we need to start getting back to our security roots, and I can’t think of a better way to enable that movement than to increase the level of security automation in the enterprise.
The question is, where (and how) should we start automating? We have some good ideas at Tripwire, and we’d love to hear your thoughts on the subject. While you’re at it, have a look at the Security Automation efforts being pushed forward by the National Institute of Standards and Technology. There are two protocols of particular interest with respect to automation: Security Content Automation Protocol (SCAP) and Event Management Automation Protocol (EMAP).
I’d love to hear your thoughts on both of these efforts and on the notion of automating as much of the right things as possible in the security automation domain.
If you’re interested in learning more about how to achieve better security, watch this videocast with Josh Corman and Mike Dahn.