Compliance Focus or Security Focus?
I recently attended a virtual conference on CMMC, an upcoming security mandate for defense supply chain organizations. There were a lot of great sessions, but one that stood out was presented by Scott Goodwin, Manager – Cybersecurity and Privacy Advisory at DGC. A lot of the information Scott covered wasn’t brand new per se, but it had a great theme of “Compliance Focused” vs “Security Focused.” Or, taken another way, are your security practices “good enough to pass an audit” vs. “best practice and truly driven to be more secure.”
If you are dealing with CMMC, DISP, ITAR, SOX, HIPAA, GDPR or any other regulation that requires enhanced security, or even if you are trying to use these types of regulations as a guide to increasing general security and compliance, you need to consider is your ultimate goal achieving “good enough” or “truly focused” security?
Security vs Compliance. What the Difference?
Before we go any further, let’s look at the purpose of these two important practices:
- Security is the practice of putting effective technical controls in place to protect company assets.
- Compliance is the application of controls to meet one or many different regulatory or contractual requirements in order to manage risk. While compliance may drive some security practices, it is not the main goal.
While compliance and security should be symbiotic, they can sometimes be at odds. Especially when organizational goals and industry standards focus on checking off a requirements box instead of building a best practice. For example, take the classic password policy. Let’s assume you have a Microsoft Entra ID password policy that complies with the corporate risk governance policy to gauge how restrictive your password policy is. There has always been a delicate balancing act between passwords that are long and complex enough to thwart hackers vs passwords that are easily remembered and used.
We’ve all seen (or at least know of) users who are unable to keep track of their passwords, driving them to write their overly complicated passwords down on a sticky note attached to their keyboard or monitor. This practice effectively negates the security of the password.
What about Data Governance and Security?
This got me thinking, maybe the same could be said for managing the governance of corporate data. If the process is too hard and timely to complete, then by the sheer nature of being human, users will find a workaround to simplify the task and meet the impending deadlines.
Supportive technologies need to be just that, supportive – not barriers to productivity. So, how can you introduce solutions that provide benefits instead of inadvertently creating roadblocks and security threats?
What we do know is that employees have a familiarity with the tools that they interact with every day: Word, Excel, SharePoint and, even more so now, collaboration tools like Microsoft 365. If this is indeed the case, why would you want to unsettle the workforce by introducing additional tools, tasks and or interfaces that can introduce complexity and add to an already overworked support desk?
Even after you have introduced this new solution, what’s next? Do you know if the next “process” or control requirement will be from management or the industry? I don’t. However, what I do know is that desktop applications and their enterprise counterparts are here to stay, and your users are happy using the ones that they have – mostly.
Finding a complementary solution that monitors and governs the information that is shared between enterprise and desktop would be the ultimate goal, especially if it was dynamic yet restrictive by nature.
- A solution that does not impact a user’s process familiarity unless they do something they shouldn’t, effectively providing the organization with a proactive security posture that does more than just check a compliance box.
- One that places data security front and center while being transparent to the end users, so their productivity isn’t impacted.
- A solution that puts you on the defensive, rather than running damage control after the fact, by preventing mistakes and security issues from happening in the first place.
For example, what if instead of letting users share a Word document internally or with third parties that can be saved or downloaded, you instead force them to view a secure read-only copy – based on the attributes of the file? One that strips out the ability to perform any other actions from the user toolbar other than read-only – no printing, copying, or saving permitted – again based on the attributes of the user and sensitivity of the document. And for extra security, what if it had a digital watermark with their user details, date, time, and IP address stamped on it so if they snapped a mobile photo, then you would know where the leak came from?
You may be wondering why you’re not already doing this. While this may seem like a simple solution, it’s not functionality you’ll find out of the box. You will have to seek out a third-party solution for it. However, by implementing measures like this, you can easily adopt a truly focused proactive security posture that not only checks the compliance box, but will also make your information and organization far more secure.
Your future self will appreciate the stepping stones you place today
Whether you are attempting to pass a regulatory audit or stay compliant, or if you’re just trying to increase your overall security around governance, remember that there are many layers of risk (and processes) that need to be considered in your environment. Here at archTIS, we specialize in helping you secure your data with advanced dynamic information protection capabilities, but no security measure will work without all the other policies fitting together as tightly as possible.
The next time you review your existing security measures or look to implement additional measures, be sure to determine if it’s just “good enough” or “truly focused” security. Your future self will thank you.