Strange Bedfellows: Compliance Frameworks and Technology
If you’ve consulted or advised security leaders in any capacity this post will likely speak to you. It’s a topic I’ve covered in personal conversation dozens of times, and it’s once again thrust into the fore of my mind here at re:Invent in Las Vegas.
Compliance requirements are piling up, folks. Whatever industry you’re a part of, or whatever consortium you ascribe your business to — there is likely no less than 3 or more compliance requirements on you. These are all likely similar, but not similar enough. The real challenge comes when it’s time to show compliance — rapidly — and you find yourself in a position of tight budgets, limited resources, and time ticking mercilessly away.
For a whole lot of the conversations I’ve had in the past 4 years — and in increasing volume — the ultimate question is how to short-cut the process of complying. It’s rarely about meeting the spirit of the compliance regime, but rather, getting to the strict letter of it to get it done with minimal effort and move on. It’s not about security, or privacy, or “doing the right thing” — it’s about checking the box with minimal spent resources and moving on.
It could be argued that this is the fault of the compliance framework writers and organizations who continue to find some strange joy in creating “yet another framework” for organizations to have to comply with. Or it could be blamed on the CISOs and companies who choose to do the least they can at every turn rather than actually putting effort into security so we’re stuck with compliance bingo. Either way, you know what comes next.
Enter technology vendors.
I have, in my past, worked for companies that sell the “quick fix”. I’m fairly confident if you think about it, you likely have too if you’ve ever worked for a vendor. The problem comes when the “solution” is some piece of tech. I can tell you with confidence that the person telling you any piece of technology, alone, is the solution to a compliance or security problem — they’re selling you something.
Any framework that allows itself to be adhered to and complied with simply by making technology purchases is junk. Knowing this, why does it still happen? I just had a conversation yesterday where after discussing how to get to SOC 2 Certification with someone — they called me back later and told me “We opted to go a different route, we made a few key technology purchases that we believe takes us over the compliance line.” My reply (in my head) was “Ok, sure, good luck with that.” But that’s not the only time that’s happened, and I’m damn confident it won’t be the last.
My point is, if it’t not clear yet, technology and tools can enable your organization to get to, and maintain, compliance to whatever frameworks you are beholden to. But if you’re fully dependent on a piece of tech and forget that at least 50% of the solution is process, and another 25% is people — you’re in for a bad time.