Security Experts:

Why Security Can't Live Without Compliance

 A risk-based Approach to Security Can Help Organizations Reduce Risk, Lower Costs, Improve Response Readiness, and Increase Risk-posture Visibility... 

When it comes to determining an organization’s security posture, it is a commonly held belief that performing vulnerability management will address any threats and minimize the risk of a data breach. However, without putting vulnerabilities into the context of the risk associated with them, organizations often misalign their remediation resources. This is not only a waste of money, but more importantly, it creates a longer window of opportunity for hackers to exploit critical vulnerabilities. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw. Therefore, even vulnerability management needs to be supplemented by a holistic, risk-based approach to security, which considers factors such as threats, reachability, the organization’s compliance posture, and business impact.

So, what is the relationship between IT security, risk management, and regulatory compliance?

Let’s start off with an organization’s security posture, which is often mistaken to be the same as its exposure to vulnerabilities. However, there are far more factors that influence an enterprise’s security posture. For example, without a threat, a vulnerability cannot be exploited. Another limitation is reachability—if the threat cannot reach the vulnerability, the associated risk is either reduced or eliminated.

Security and ComplianceIn this context, an organization’s compliance posture plays an essential role, as compensating controls can be leveraged to prevent threats from reaching their target. According to research conducted by Verizon Business, a majority of incidents are avoidable through simple or intermediate controls. This illustrates the importance of compensating controls in the context of cyber security.

Another factor in determining the actual risk posed by a vulnerability is business impact. Vulnerabilities that threaten critical business assets represent a far higher risk than those that are associated with less-critical targets.

Altogether, an organization’s focus should be on risk and not just security, which brings us to why security cannot live without compliance.

To gain insight into their risk posture, organizations must go beyond just assessing threats and vulnerabilities. They need to consider compliance as well as business impact. Only a combination of these three factors assures a holistic view of risk. Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

In general, there are three major elements of a risk-based approach to security:  continuous compliance, continuous (security) monitoring, and closed-loop, risk-based remediation.

Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. The use of continuous compliance can reduce overlap through a common control framework, increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.

Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.

Lastly, closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement. By establishing a continuous review loop of existing assets, people, processes, potential risks, and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment into security operations personnel, purchases of additional security tools, etc.).

By leveraging a risk-based approach to security, progressive organizations can reduce risk, lower costs, improve response readiness, and increase risk-posture visibility. A good example is Fiserv, a company that serves the financial services industry with a broad spectrum of payment and account processing solutions. The company uses a risk-based approach to security and dynamically aggregates and correlates financial, operational, and IT key risk indicators (KRIs) from multiple and diverse controls to detect system vulnerabilities so identified risk can be effectively mitigated. This approach has reduced the time it takes to produce risk profiles from six to three months, while shortening the policy control process from four to two months. As a byproduct, Fiserv has achieved increased credibility with its board, management, and regulators. 

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).