Why Compliance is Dead
Information security experts have long warned that compliance does not equal security. They’ve argued that simply meeting a set of minimum requirements, whether it’s PCI DSS, SOX or HIPAA, is no substitute for making security part of day-to-day life. What satisfies auditors isn’t the same as what stops hackers in their tracks.
Nowadays, this isn’t just a hypothesis. We have concrete evidence that an organization can pass an audit and still fall victim to damaging data breaches.
Speaking a few months after the now-infamous Target hack, then-chief executive Gregg Steinhafel (who would later resign because of the incident) said, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.”
Compliance does not equal security
Target was held responsible for the loss of 40 million stolen credit card numbers after the hack, which occurred just two months after the audit mentioned by Steinhafel. It appears that compliance played no real part in the company’s ability to prevent a breach.
The Target hack also demonstrates that the cost of recovering from a data breach can encompass far more than fines for non-compliance alone. In the second quarter of 2014, the company reported related expenses of $148 million – and that was on top of a 46 percent decline in profits two quarters previously. While compliance can protect an organization against fines and sanctions, it’s not a defense against loss of data, business, or company reputation.
Standards evolve, but threats evolve faster
Target was breached around the same time that the PCI Security Council carried out the first major overhaul of PCI DSS since 2010. PCI DSS v3.0 was unveiled in November 2013, mandating compulsory compliance by January 2015. It requires organizations to pay closer attention to their vendors, looking at security as a “shared responsibility” through the supply chain. Had this been the standard prior to the breach, perhaps Target would have taken additional precautions to prevent the breach made possible by the theft of an HVAC supplier’s username and password.
However, this also shows how standards like PCI DSS change very slowly. It took three years for the PCI Council to update PCI DSS from version 2.0 to 3.0. How much more sophisticated did hackers become in the same timeframe? How much more complex did enterprise IT environments grow, shaped by trends like bring-your-own-device and the cloud?
While years might elapse between one version of a standard and the next, criminals never stop thinking about ways in which they can compromise their targets. This was acknowledged by Jeremy King, the PCI Security Council’s international director, at a November 2014 meeting, in which he described today’s hackers as “more focused” and “more organized” than the standards body itself. “We hope to get better,” King said, “Unfortunately, the criminals are getting better.”
With the threats evolving at a phenomenal rate, it’s hard to put much stock in PCI DSS v3.0’s new recommendation that compliance is considered a ‘business as usual’ obligation rather than something an organization thinks about once or twice per year ahead of an audit. What’s the value of carrying out compliance activities on a day-to-day basis when the standard itself is out of date almost as soon as it’s introduced?
Is compliance dead?
The idea of compliance being dead isn’t going to change the responsibilities of retailers, banks and healthcare providers vis-a-vis regulations like PCI DSS and SOX. But simply checking off requirements isn’t enough to defend against cyber attacks and data breaches. While compliance can help organizations down the path toward securing their enterprises, compliance in and of itself cannot guarantee security.
Don’t make mistake of equating compliance with security. Instead, consider compliance as a starting point.