When I first blogged about my experience at RSA Conference 2009, I noted that cyberwar, compliance, virtualization and cloud security were key trends at RSA. A week later, I still see that as an accurate statement, but it’s one that fails to capture a shift in the larger context of information security in 2009.
It’s not enough to be compliant anymore; organizations must actually be secure.
Security and compliance officers understand the distinction, of course, but guidance is now coming down from top scientists and, if recent legislation in Washington passes, directly from the federal government. Just read “ICE Act would restructure cybersecurity rule, create White House post” and “Kill-switch bill would add certification, licensing burdens” to see what may be coming down the pike.
I gained perspective on this trend towards actual security as opposed to rubber-stamped compliance throughout RSA. Speakers, panel sessions, analysts and informal conversations with security practitioners all reiterated that security and compliance aren’t he same thing.
Alan Paller, director of research at SANS, said he sees the shift from compliance to actual security as long overdue — and driven directly by the Department of Defense. As Paller sees it, the “20 Critical Controls,” or consensus audit guidelines (CAG), are the new gold standard for security and compliance for federal agencies, defense contractors and all other parts of the nation’s critical infrastructure.
The Commission on Cybersecurity for the 44th Presidency, headquarted at the Center for Strategic and International Studies, released a cybersecurity report that supports and extends these controls. Former USAF CIO John Gilligan has been driving discussion and implementation of these controls through the national defense infrastructure. As Paller noted in an interview, it’s key to know what metrics matter. Without guidance, “people will dashboard all the wrong data. It’s like keeping a garage clean but not bothering to lock the door.” Paller says that the SANS Institute is shifting its training for security and compliance professionals to “the controls that matter” under CAG, focusing on actual security. That means hardening software, hardware and infrastructure after taking inventory of all assets, as mandated by NERC compliance requirements. “Government agencies must be required to comply with a set of prioritized controls that actually stop attacks.”
Peter Firstbrook, a Gartner analyst for security, said he sees considerable frustration regarding the mismatch between security and compliance on the part of enterprise executives in the private sector. The trends that he sees are towards “minimizing the attack surface,” where security isn’t addressed with patches nor compliance with checklists. Organizations are doing due diligence with regards to gap analysis and taking inventory of both proprietary and protected data. That’s key, since Firstbrook has observed that malware is getting more and more intelligent. “There’s a huge infection of targeted attacks that disable endpoint security.”
Firstbrook also extended a biological metaphor to the security challenges faced by organizations in the current landscape of shifting threats: “Patches are like a visit to the ER. The key is to understand AV, software, hardware, viruses and worms as part of an ecosystem of threats and to engage in preventive ‘medicine’ beforehand. Conficker was avoidable.”