By relentlessly pushing product-based solutions ("Just buy this, and your troubles are behind you!"), and oversimplifying the complexities of the real world ("Just do this, and you'll be secure!"), the IT industry has done its customers a gross disservice.
As a direct result of this con artistry, myths about information security have spread like butter in a warm pan. They can trigger an expensive misdirection of resources - both human and financial - and foster an illusion of security that leaves many organizations more vulnerable than ever.
Having encountered hundreds of companies searching vainly for that magic cybersecurity bullet, we figured it's high time to start debunking some of those myths.
Myth 1: Being compliant makes you secure.
Whether you’re a medical practice maintaining compliance with HIPAA and HITECH, a small publicly-traded company approaching a SOX audit, or an e-commerce startup implementing PCI controls, it is tempting to believe that fulfilling regulatory requirements is all you need to secure your most important information assets.
Unfortunately, that isn’t the case.
In fact, regulatory mandates provide only a baseline for general security principles, not a platform on which to build an effective security program. Regulations are about establishing minimum standards for entry: “If you wish to process credit cards, or transmit electronic protected health information, you must do at least this.”
Regulations are not designed to keep abreast of or respond to changes in the threat landscape because that landscape moves rapidly, and regulatory bodies do not. Those compliance standards that originated as acts of Congress often require legislative action to modify (and you know how quickly that takes place).
Even modifications that do not require a suddenly cooperative Congress take time.
It is impossible to estimate how much havoc could be wrought by the time the newest iteration of the regulation was fully implemented.
Maintaining regulatory compliance doesn’t make you secure, because it can’t.
At best, the process provides a framework in which the custody of information assets can be reviewed periodically and assessed by an experienced and certified third party. Like SLPowers.
We are a SOC 2 Type II services organization. We’ve been awarded the Security-Plus Trustmark by the Computing Technology Industry Association. We can guide you through the regulatory thicket, but we can also help you implement the most practical approach to information security in the industry.
Because while compliance doesn’t equal security, true security always equals compliance.
Next week we'll tackle another security myth that could make your company more vulnerable.