By Adam Dodge
Did the title of this article surprise you? Given the ever-growing list of Federal and State regulations pertaining to the protection of information, this surprise is understandable. After all, at the very least any information security program should meet regulatory compliance goals for an organization. However, there are a few hidden dangers with this line of thought.
As I mentioned above, the list of Federal and State regulations continues to grow, sometimes overnight (or at least that is how it seems). I do not think that it would be too irresponsible or crazy for me to suggest this growth will continue into the future. Federal Breach Notification Law, anyone? Given this growth, pushing compliance as a goal seems to make a good bit of sense since it ensures continued support for the information assurance/security/protection program.
If we step back for a second and take a critical look at what continued growth means for compliance as a goal, we can see there is a problem. How many times can we go running to our organizations with dire warnings of new or upcoming regulations before they simply start to ignore us? If you answered â€œnot that manyâ€, I agree. If (or should I say when) the new or upcoming regulation forces the organization to change established procedures, it further compounds the problem.
This is the same problem as faced by the boy who cried wolf. Whether we are crying out â€œWolf! Wolf!â€ or â€œSOX! GLBA! FISMA!â€, after a while our tired shouts will be ignored. Many security professionals have already begun to run into this problem with HIPAA. At first, it was a powerful tool to enact change. Now it seems HIPAA has lost some of its power.
In addition, if we continue to push compliance as the goal, then the very best we will ever achieve is compliance. That is all. When we attempt to push for a control not required by current regulations, there is a very good chance we will fail to achieve support because the organization currently meets all regulatory goals. This problem becomes more significant when regulations lag behind the current threat landscape (as is inevitable).
Of course, I am not suggesting that we simply ignore Federal or State regulations. Instead, here is what I suggest:
1. Use regulations as a template, a baseline for the minimum controls for your organizationâ€™s information security program.
2. Spend some time researching frameworks to help map out additional controls and features. NIST, ISO, and ISF are good places to start.
3. Above all else, the goal of the information security program needs to be the protection of information and not regulatory compliance.
Seeking information security through compliance is a recipe for failure. The good news is that the reverse is not true. A well-designed information security program will help any organization meet compliance goals while understanding that the protection of information is the ultimate goal.