Secure or Compliant?
If you had to choose one, which would you choose? Are they even different? We believe the right answers to these questions are “compliant” and “yes.” However, in this case, you can have both — or “have your cake and eat it too.” There are some caveats, and we admit it is a bit of a trick question since you can never be completely secure with a threat landscape that is constantly evolving and old threats fading but never really going away. So, "secure” is a relative state and at a specific point in time. You can be reasonably secure today, but breached tomorrow via a new threat, unknown vulnerability, or change to how your technology is deployed, configured, or used. Being compliant is similar, but much less gray. You can go in and out of compliance, but it is widely accepted as a point in time tied to a version of policy, regulation, and law. Compliance is much easier to verify or even certify. Still compliance and security are interdependent and have many similarities with most people lacking a good understanding of the caveats and subtleties.
Cylidify advocates that compliant is the right focus using the supporting policies (and processes) to drive security and privacy in your business. This requires that the policy underpinning the compliance must be well written and supported by good practice — this is critical for security and privacy. Too broad or lax, and verification will be limited (and technologists will find the loopholes). Too detailed or strict, and it will be viewed as a tax or just impossible to comply with and disregarded. Even if your goal is external compliance, you should have internal policies and practices to fill gaps, make necessary interpretations, and provide overall clarity to allow verification against the external policies and practices. All policies must have sponsorship and enforcement since without a carrot or a stick, your results and ROI/value will suffer or may even become a hindrance to your business. Here are a few tips to improve your security and privacy compliance:
Get executive sponsorship and tie compliance and security to corporate or product goals. Without explicit sponsorship and actionable, measurable goals, any initiative will be derailed by the pressures of delivering capabilities or generating revenue.
Write policies and develop requirements that strike the right balance between broad/lax and detailed/strict and fit the needs of the solution or scenario. One-size-fits-all (as is the case with most external compliance and policy) will fit nothing well and have greatly diminished value. Cylidify recommends leaning toward the detailed/strict side in policies, then relaxing to fit the needs and requirements of the specific market and solutions. If development or IT sees a policy as too heavy, not actionable (noisy), or a “tax," they will find ways around it or ignore it, even with good sponsorship and enforcement. We can help to find the right balance for your business and products. Anyone can tell you to “be secure," but it takes an expert to explain the trade-offs and help develop a tailored approach that fits the market/solution — balancing risk/reward and getting measurable returns on your policy and security investments.
Meet with and listen to the constituents (those who will be subject to the policies and requirements) to agree on verification and ROI or other measures of success. If a policy can’t be enforced or verified, then it has limited value and will harm your credibility. If constituents aren't included early, avoidance or “malicious compliance” are likely outcomes.
Be aware of the "shelf-life" of policies, practices, and defenses — security and privacy are very fluid and change quickly. Have periodic and on-demand reviews of policies and practices to make sure they fit the business and market needs and all constituents have visibility. Do dry-runs with the constituents and don't be afraid to adjust "out of band".
When your market is regulated or requires certification, it can make things easier because you have goals and some policies provided (unless it's something like HIPAA which is stale and requires a lot of interpretation). You also get sponsorship from the start because security and privacy are now part of the requirements driving the business — and getting investments. Even if this is not your situation, Cylidify recommends creating some basic security and privacy policies that are integrated with your gates and milestones. These policies and a supporting Security Development Lifecycle (SDL) will give you most of what you need to build-in versus bolt-on security and privacy. In any case, you should have your own policies and practices to fill voids or support what is provided by regulations or certifications. Clarify the grays, bridge the gaps, be agile, and be reasonable with the goal of a tailored, balanced approach that fits your business and market.