We're posting this one a little early to make sure we catch folks reading the customer newsletter
There's been a lot of chatter about this in the past, but with all the breaches recently, it makes you wonder... does compliance actually make you more secure?
On the one hand, if you are already protecting your data, and generally following security best practices, compliance is kind of just a pain in the butt, a bunch of rubber stamps that you spend your time aligning to that just end up being a thorn in your side.
On the other hand, compliance initiatives really are trying to encourage standard ways to protect sensitive data (personal health info, intellectual property, credit cards, etc). They are generally things that people really should be doing to keep that data safe (generally...).
But in the end, if you are only compliant, are you actually more secure? Practically, for the smaller/midsize organization, compliance is an opportunity to get budget to BE more secure or implement some best practices that haven't really had a motivating factor (the whole "security is a cost center" sort of problem).
What do you think?
I think the general sentiment on this thread is spoton in that compliance *should* just verify what you are already doing, but for some smaller shops with not enough direction, it can be used as a road-map for an industry recognized baseline of standards.
This question started me thinking… “more” implies that you have an additional amount of security than you did before you were compliant. So while compliance does imply a minimum level of security, it might not “make you more” secure. That will depend on where the organization started and where it ended up.
In the case of most small businesses that I have worked with over the years, yes they would be more secure if they could even afford to become complaint in the first place. But in reality many will just ignore the compliance issues and if something happened they would be forced to close. In that case it will not make them more anything, except maybe stressed.
As some of the others have mentioned, with the medium and large businesses often the compliance initiative drives IT spend which allows for the organization to become more secure. Therefore yes they are more secure.
In the enterprises that I have worked for compliance audits have exposed some glossed over issues and allowed them to be patched. Sometimes we received additional budgets to code to in support of the project. It also helped create process to prevent future misses. So yes, enterprise class businesses are often more secure due to compliance.
Though a friend of mine in a different enterprise always brags to me that they complete all of their audits with no issues found. So I guess there are a few cases that would answer no. For them, compliance is just busy work that slows down the real work they do. But how many companies is that really? (Now that I think about it…maybe he is just yanking my chain…hummm)
Yeah, it seems like the general case is: in a perfect world, compliance doesn't make you more secure because you already are. But, in reality, compliance CAN make you more secure because you can't get budget/resources to be secure in the first place.
Busy work yes, but not without actual value if you make a decent effort. There's always the checkbox compliance people who just want auditors to go away (well, we all want that, but you know what I mean).
From the vendor side, we saw people in the same industries you'd expect to have data to protect invest in monitoring tools BEFORE compliance was a big thing (banks, hospitals, legal, government, etc), but compliance definitely gave security monitoring a lot of momentum. The difference in retail companies' investment due (thanks?) to PCI is pretty significant, I think that's the big one that also gets a lot of shame.
I think compliance makes you a bit more secure as it forces you to have certain things in place. The problem here is that security is a mindset; you need to want to have security if you are going to be secure. Often companies are just going through the motions to have the compliance box checked and don't necessarily want to have a high level of security.
In general, the process of getting formal (audited) compliance can greatly improve security - but it is usually the ***process of getting there*** that does so, the actual rubber stamps have sufficient flexibility that they are not in themselves a guarantee of proper (or even consistent) security levels.
Also, one industry in particular that I am familiar with, has multiple regulator-imposed system/data security compliance requirements that actually contradict each other, which is unfortunate.....
While my SIO would disagree with me. I would say YES. If you are already protecting your data and following best security practices it makes the audit process much easier . It's definitely made us more aware of possible vulnerabilities in our environment. We are much more pro-active in adhering to security standards and hardening our systems. Being a a small shop the budget is always a concern. So in the past we may not have been able to afford the equipment we needed. Honestly while being compliant is a pain its nice to be able to say to upper management. We need device "A" and application package "B" to be compliant. More often than not anything needed to be compliant is approved.
That echoes what we've heard from other people, too, that compliance can get you budget that actually DOES make you more secure, so it's actually a good thing though maybe not in the way it was intended
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.