We've gone over this subject a few times, but not it great detail. It's for this reason I'm going to dedicate an entire article to the subject. If you're following compliance only, you're not doing your job. There you have it, I said it. This is a blunt way of saying, be security minded, before following compliance and just hoping for the best. Now I know there are many people out there who want to follow security first, but aren't allowed to. This article isn't for you. This is for the people that look at compliance as their only means of protection. There are plenty of businesses doing this now with security minded people grudgingly attempting to push them through the muck and mire of the compliance-only ideology. The next ten, tongue in cheek, warnings are for those who are stuck in a compliance-only frame of mind. So for those that don't want to move forward and understand that compliance will not protect you when the attackers come calling, here are ten ways to cement your position as a compliance-only, non-security minded practitioner.
- Don't ever look past the compliance standard – When you ask a question to an auditor about why something needs to be done a certain way, take their word for it. Never ask why, or if you can be creative about your architecture. Follow their every word and wait on them with baited breath. They’re professionals after all, and you're paying them good money. How could they be wrong?
- Believe you are secure with only compliance – Only malicious and nefarious attacks happen to large companies. You're not on their radar right now, so you'll most likely skate free without being noticed. What are the odds? These things only happen to ultra-large organizations anyway; you're safe to sleep well at night.
- Never use compliance as a way to increase security awareness – Just because you have the ability use compliance to put your security program on the map, doesn't mean you should take advantage of this. Make sure no one outside your team is aware of what you are doing and keep these things to your self.
- Make sure you select easy assessors – We know that not all assessors are created equal. Make sure you do your due diligence and select the vendor that's going to give you your corporate compliance the quickest. Don't have assessors come in that will challenge the status quo, which could push you into a security mindset. You wouldn't like that. And above all things make sure the assessor brings their rubber stamp.
- Always use the same assessors every year – The best way to quickly pass compliance is to have the same set of eyes on your environment every year. This will increase the speed that you receive your precious compliance, since your habitual assessor has already beaten this path, and it will make the process ever so much easier.
- Be content with checking the boxes – Once you have every check box securely filled in, you can be almost absolutely sure that you're safe from attack. The assessors’ job is to make sure you're hacker proof and they're normal never wrong. Make sure you put full faith in the compliance standard, as well as the assessor in place to bring you into their compliant beliefs.
- Don't worry about security unless an audit is underway – Security all year is hard. Make sure you only become interested in it while an assessment is underway. Since you're using the same assessor that was chosen for looseness, it shouldn't be hard to pass an assessment even while only being concerned for a few weeks out of the year. No one has time to be secure all year round, so don't be too hard on yourself.
- Never include out-of-scope systems into your thinking – Make sure you're only concerned with systems that are being audited, because that's really all that matters. The systems that are out of scope are just that, out of scope. They're not important and even if an attacker somehow got through your assessor-approved bulletproof architecture, they wouldn't care anyway. All the juicy systems are in scope and those are the only one's that should be protected. The rest are just hangers-on and should be dealt with when you have time, but it's not urgent.
- By all means, don't be proactive – Being proactive with your thinking will eventually bleed over to being secure, which after all, is what we're trying to avoid. Pushing for new technology and procedure could quickly get out of control. If you start being proactive it's going to affect all your systems; and we only want in-scope systems, remember? Do only as you're told and don't look for ways to improve.
- Make sure management knows compliance is most important – You're management is ultimately in control of what happens to your program, so don't bring up risks outside of those that might effect your ability to comply with the standard. They shouldn't be consulted or told about other risks to the environment. They're so very busy anyway, so why even bother them. Make sure that they are effectively lulled into a compliant mindset so that they're not awakened into worrying about security. This could ruin the compliant-only program you've worked so hard to achieve.
By following these ten sure-fire steps you'll become the best compliant-minded practitioner on the face of the planet. Follow them well and treat them like the compliance standard itself, but be very careful. If you feel yourself asking questions, or even having doubts about these ten steps, you're on your way towards being security minded. And for someone that's stuck in a compliance-only mindset this can be very dangerous. It will have you start thinking outside the box and worrying about the security of your entire infrastructure. Be careful, stay the course.