While the upcoming GDPR compliance deadline will mark an unprecedented milestone in security, it should also serve as a crucial reminder that compliance does not equal security. Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach. But regardless of industry or regulatory body, achieving and maintaining compliance should never be the end goal of any security program. Here’s why:
Compliance does not guarantee security
It’s critical to remember that many—if not most—breaches disclosed in recent years occurred at compliant businesses. This means that PCI compliance, for example, has been unable to prevent numerous retailers, financial services institutions, and web hosting providers from being breached, just as the record-breaking number of healthcare data breaches in 2016 were suffered by HIPAA-compliant organizations.
Compliance standards are not comprehensive
In fact, this trend reinforces how compliance standards should be operationalized and perceived: as thoughtful standards for security that can help inform the foundations of a security program but are by no means sufficient. The most effective security programs view compliance as a relatively small component of a comprehensive security strategy.
While many compliance standards do provide valuable guidance in areas such as data storage, user privacy, and breach disclosure, there are many more critical areas that they do not address. Security awareness, business continuity and penetration testing, employee education, and technical and policy controls are only a few of many such examples. This is also why, as I’ve written previously, it’s imperative to look beyond compliance when evaluating third-party risk and conducting due diligence on prospective vendors. Indeed, there’s a great deal that compliance information doesn’t tell you about a business’s security posture.
For example, not all compliance bodies that enforce data storage standards mandate encryption. HIPAA in particular recommends, but does not require, that PHI stored electronically be encrypted. Just because a vendor for electronic medical record systems (EMRs) is HIPAA compliant does not automatically mean it encrypts the PHI it stores. The same goes for GDPR; while it strongly encourages that user data be encrypted and penalizes organizations that fail to safeguard user data effectively, it does not enforce encryption. This trend is echoed in the standards enforced by various other compliance bodies as well.
Threats evolve faster than compliance standards do
Adversaries—whether seeking new ways to identify zero-day vulnerabilities or bypass the latest anti-fraud controls—are continually changing their tactics, techniques, and procedures (TTPs) and resulting threats. These rapid shifts are why getting ahead of the ever-changing threat landscape requires a dynamic and iterative approach to security.
Such an approach, however, contrasts significantly with the static nature of compliance standards and, as a result, compliance-centric security programs. HIPAA hasn’t amended its security requirements since it issued The Security Rule in 2003, despite the abundance of data breaches and ransomware attacks that have since struck the healthcare industry and compromised the PHI of millions of individuals. Updates to PCI standards, though more frequent, are far outpaced by the speed with which the threat landscape evolves. Although the implementation of European MasterCard Visa (EMV) chip technology, for example, has helped reduce the prevalence of payment card fraud, various other types of fraud—ranging from gift card fraud to identity theft and tax fraud—have since increased.
Despite the fact that compliance standards should be but one component of a larger security strategy, achieving and maintaining compliance remains a burdensome and resource-intensive process. Factors ranging from strict deadlines and implementation complexities to steep non-compliance penalties are why, for many organizations, adopting a compliance-centric security approach can seem like a reasonable and judicious decision. But above all else, it’s crucial to remember that while many compliance standards do provide clear and substantial security benefits, they are neither comprehensive nor flexible enough to serve as the sole focal point of an effective security program.