As a relatively new CIO with responsibility for information security, I remember agonizing about making sure we could pass the latest compliance test. The whole process was wrought with inefficiencies, with different teams responding with evidence for similar control objectives associated with different control standards. It was death by a thousand controls. It didn’t matter which standard – PCI, HIPPA, SOC2 or ISO – all that mattered was putting a check in the box and not having to worry about it for another year. Many other CIOs in my circle of confidants were struggling with the same thing and, more alarming, was the realization that many of our “attestations” were actually “aspirations.”
In order to convert the “aspirations” into “attestations,” we focused on programs of security hygiene, which allowed us to feel a bit better about our responses, but all this foolishness was doing little to make us more secure.
Over the years, a more effective model for addressing both information security and compliance standards has emerged. That is, instead of starting with compliance, END with it.
The model starts with analyzing company-specific threats and ends with an environment where the company is more compliant and is able to confidently attest that it:
At Veracode, we use a simple model to identify what assets and business processes would be most impacted by an inside or outside threat:
Then we use common Security Risk Assessment Processes to gauge the business impact and likelihood, and develop mitigating controls to protect each specific high-value asset.
We are also mindful of current threats and advisories. For example, recent Verizon Data Breach Investigations reports cite the top three threats arising from phishing, malware on endpoints and compromised credentials. This informs our focus on programs for employees, changes to and additions of processes and deployment of technologies to respond to each.
The next step is to generally assess controls based on common frameworks to gauge maturity of our program against industry standards. In our case, we use a combination of the NIST Special Publication 800-53 and Cloud Security Alliance Cloud Security Control Frameworks. These assessments yield dashboards to communicate to our executive team and board where we are doing well and where the gaps are. The reality is that security hygiene is an ongoing process, and the dashboards ensure that the gaps aren’t in areas that would risk our high-value assets or increase our vulnerability to current threats and advisories.
Finally, our experience shows that by taking this approach, we are able to make solid attestations when responding to compliance standards, audits and customer questionnaires. More importantly, where there are gaps (and there always will be some), we can demonstrate that, while we’re working to address them, our customers’ and our assets are not at risk.
Has your security program moved beyond checking boxes for auditors?