When 'Compliance' is just NOT ENOUGH!
It has always amazed me by businesses contempt for compliance, or the heightened levels of assurance they get from getting their hands on their annual certificate of compliance. Most common to all of these businesses is their focus on 'doing the bare minimum' to achieve their compliance.
Perhaps this is caused by the very term COMPLIANCE.
In psychology, the term refers to:
"Changing one's behaviour due to the request or direction of another person.
It is going along with the group or changing behaviour to fit in with the group, while still disagreeing with the group".
If the objective of a security controls framework is to reduce the risk, to your defined scope (preferably your organisation's critical assets/processes/operations), why would you still be in disagreement?
Surely, having better defences should be seen as a good thing, yes?
Then, why do some businesses still look at Cyber/InfoSec or Resilience as something that they need to do with a great deal of reluctance?
If an organisation is compelled to achieve certification, they will tend to focus on achieving 'COMPLIANCE' through the easiest channel, rather than with a focus on the things that are most important to the business.
Consequently, they suffer an unforeseen loss caused by a failing from a primary (critical asset) or secondary (3rd party) source.
Think of it like maintaining a motor vehicle and focusing your 'COMPLIANCE' efforts on maintaining the internal trim components. However, no focus is placed on maintaining the more critical components:
Over time, the interior trim will still appear to the driver and passengers (stakeholders) as being a pristine vehicle. However, overtime the more, the critical components will degrade and the risks to the safety of the driver will greatly increase.
These out-of-scope assets will become the target of opportunist criminals, or be the cause of a serious system outage, Consequently, for an effective protective security strategy it is essential that the business identifies what is important to them and ensures that this is communicated to the Cyber/InfoSec and IT Support teams.
Imagine a scenario where the business is a manufacturing company, whose Board members have expressed a wish to become ISO/IEC 27001:2013 certified. For ease and simplicity, despite the advice of the InfoSec Manager, the Head of IT decides to limit the scope to just the administration and maintenance of the organisation's laptops (however, not including the users) at a single location (rather than extending across their global reach).
Consequently, the scope is limited to half a dozen members of the IT team and omitted from the scope are the industrial control systems (ICS), circa 5,000 end users, business applications, workstations, servers and network connected 3rd parties.
The Board members receive notice that their business has been certified as being "COMPLIANT", the Head of IT gets congratulated on their efforts and this even gets a mention in the company's annual report (shareholders are reassured).
In contrast to the actual scope, the certification is described as:
"We have externally audited ISO 27001 certification for key systems and locations, whilst internal and external auditors review and report on the operation of all cyber and system controls annually."
Would you say that this description aligns with the critical assets omitted from the ISO/IEC 27001 scope?
The stakeholders are never informed of the true extent of the scope and remain blissfully unaware that their 'Wheels are about to fall off!'
The Head of IT is happy and content, in the belief that what they believe to be the 'Key systems and locations' (Sales, Marketing, Human Resources, IT, etc.) is suitable protected - based upon what they believe to be the threats.
No cyber criminal is interested in Manufacturing?
Industrial espionage is not a risk?
The end users are not a risk?
The internally developed applications are not a risk?
The servers are not a risk?
The network connected 3rd parties are not a risk?
Sound like a crazy idea?
If you are a stakeholder in a business, who wants to gain additional reassurances to the extent to which your motor vehicle is being maintained, please do not just rely on the the annual certificate but spend a little of your time asking just how far the statement of applicability (SoA) extends.
If you are doing due diligence on a 3rd parties security, do not rely on the annual certification but ask for confirmation of the scope (confirm that it covers your systems and requirements), ask some probing questions and for your higher risk suppliers insist on an onsite visit so that you can evaluate their ability to maintain your vehicle.
Risk assess your critical business operations and apply risk mitigation controls, using appropriate security controls (e.g. Payment Card Data operations - PCI DSS, Industrial Control Systems - NIST SP800-82 Rev 2, etc.), implement a schedule of internal assessments and treat the external audit component as a value add to your business (rather than being your 'Magic Pill').
Much like insurance, "COMPLIANCE" can be a good thing for your organisation, as long as it is correctly scoped and that the senior management are not just 'Going Along With It!"
If you are an organisation that has, or is considering, an information security certification please ensure that your scope and audit covers your critical assets and business operations.
Think of the cost of having someone inspect your vehicle's safety, versus the cost of your vehicle being written off through poor maintenance practices.