It’s been a long, excellent Labor Day weekend – I spent it in Phoenix visiting my sister. Good times! So, here I am writing this post waiting for my flight at Sky Harbor and catching up on news. It’s hard to ignore DigiNotar (more on this one in a subsequent post).
The fact that they have been compromised is a concern for me. I’ve been into Public Key Infrastructure (PKI) for a while now, and Certificate Authorities are supposed to be solid on the security front. They’re clearly not, but this isn’t news. I don’t have the inside information on the DigiNotar breach, so I haven’t insight to their compliance program nor their security operations, but all this news did get me thinking (there is an initial report available from Fox-IT).
How do you bring focus to security in a world where compliance is (was?) king? I’ve said this before, and I’m saying it again here: Compliance isn’t dead, but it is going to change.
What if we were to focus our efforts at changing the focus of compliance instead of shifting our focus to security? What if we started over with our compliance efforts and started really looking at data-backed risk analysis mapped to effective security solutions?
I hear a lot of people in the industry (especially at security automation workshops and related gatherings) talking about compliance efforts and how they’re not good enough, and how we need to “worry more about security and less about compliance,” to which I often say, with respect, “BS!” Yes, you need to be concerned with your security operations (you always should have been). What happened with compliance is that it got away from security some years ago and became more of a self-sufficient bureacracy – good at carrying its own weight, but not necessarily good at validating that effective security is being practiced. Put simply, compliance needs to change. More accurately, the way we practice compliance needs to change.
Part of this change will take the form of increased automation of typical compliance tasks and processes. Rather than annual audits, organizations will be able to, essentially, audit on demand by effective use of continuous monitoring. Organizations will be able to quickly and effectively see the assets on their network, add new ones, remove those that have reached end of life, and policies will be applied automatically – all with minimum human intervention. This type of change is already being realized in some federal departments, and NIST has recognized the success – so much so that the security automation community is working on a Continuous Monitoring reference architecture.
Increased automation and ease of interoperability between disparate tools has an important positive consequence: Humans have more time on their hands, and that means they can focus on the very important aspects of security operations. This also means that organizations will have more time to develop and implement intelligent metrics for feeding back into the compliance program, effectively enabling the important feedback loop from operations to policy. This feedback loop then guides security operations, generating more data, and the process continues.
So there you have it. If you want to bring focus to security, then focus your compliance efforts smartly. The result will be gains in efficiency coupled with reductions in cost, which which will enable your security operations to become more effective.