I run into people like this all the time, they usually have a finance background and frequently believe that their equations take precedence over reality and experience...sadly almost every company where clowns that game the system get put in charge usually don't survive more than a few years.
Fines may not equal cost of regulatory compliance, but they aren't the only cost of non-compliance.
By Ericka Chickowski, Dark Reading, Jun 18, 2012, 04:08 PM
At many organizations, chief compliance officers conclude the price of achieving compliance is more than the expense of a regulatory fine. So they roll the dice, attempting to save money by forgoing serious compliance efforts, thinking they’ll simply absorb the fines for non-compliance if they're ever caught. Unfortunately, that gamble is made on flawed assumptions, as most of these initial calculations are based on numbers that don't figure in the long tail of cost incurred from non-compliance and data breaches.
This faulty calculation is the dirty little secret of today's typical compliance officer, says Bob Janacek, CTO at cloud-based information delivery company DataMotion.
"There are a lot of compliance officers that just go into this maybe reading about what the fine will be and they think that's all that is, because they haven't been through it before and they don't see the long tail behind that," he says. "It's not just the front-end fines."
Compliance and security personnel need to consider much more than just regulatory fines into their risk calculations, warns Chris Apgar, CEO and president of Apgar & Associates, a privacy, security and regulatory compliance consultancy. He says they need to think of the legal risks from class-action lawsuits incurred following a breach, the cost of notification of victims, potential fallout in stock prices, the cost of technology, and consultants to remediate problems when the regulators crack down and the intangible costs of brand damage when word gets out about the company's missteps.
Apgar holds up the recent fallout from a breach at Blue Cross Blue Shield of Tennessee as a good example of how fines are just a small cost associated with non-compliance.
"Yes, they were fined $1.5 million, but it cost them over $17 million to address the breach and mitigate," he says. "It can be very expensive, and that's real hard costs: that's not the intangible costs of loss of trust and potential loss of business. People don't understand what the full cost is because they just focus on what does the regulation require of me and what are the penalties?"
He related an example he saw recently in a customer engagement to illustrate how hidden costs can manifest themselves when security incidents arise. In working with a large utility to test its incident response plan, his team found that its IT shop's response procedures were in great shape. But when it came to responding to something in concert with other departments that would be affected by a breach, that's when things got squirrelly.
"When we brought in the attorney and the communications shop and so forth, it just fell apart," he says. "They didn't know what to do or where to go. There wasn't that linkage between a good, solid IT shop that was secure and then when it spilled over into the business what it would cost or what it would even take to address it." According to Janacek, it will take a while yet for most compliance officers to gather a broader picture of the risks as compared with the cost of compliance.
"I think it may take a long time for compliance officers to really see the total risk that a compliance breach has on the organization," says Janacek, who believes that at the moment many well-intentioned CCOs are still learning through ad hoc, on-the-job training. "But hopefully when they see the total costs of these breaches in the media, and how many more times it costs to remediate these breaches versus putting in systems that could prevent them in the first place, hopefully they have the clout to try to do the right thing."
And when they do try to do the right thing, then perhaps the costs will be cut not through the roll of the dice, but instead by creating an efficient governance, risk and compliance program.
"The regulatory burden is only going to get heavier year-over-year. Its drag on the bottom line is palpable," Ben Tomhave, principal consultant at LockPath. "As such, it is becoming increasingly important that this burden be taken on aggressively through instantiation of a comprehensive GRC program that includes an imperative to actively manage operational risk in a measurable, cost-effective manner. To achieve this objective, businesses will need to formalize their GRC practices through stand-up of a GRC program."
Some other really bad ways to handle compliance...
10 Symptoms Of Check-Box Compliance
These telltale signs show you care more about what the auditors think than what the attackers do.
By Ericka Chickowski, Dark Reading, May 07, 2012 02:46 PM
Security and risk pundits have long lamented the practice of going through the motions just to satisfy security regulations and standards like PCI, SOX, and HIPAA. Phoning it in may keep the auditors in check, but it won't mitigate the risks of attack. According to security and compliance pundits, the following are some of the telltale signs an organization is falling into the trap of check-box compliance.
1. Arguing over which standards are best.
Check-box-oriented organizations tend to get caught up in the regulatory minutiae so that they can't see the forest for the trees.
"Some organizations claim that they take the best of various policies and then go to work on a 'deeper policy,'" says Ron Gula, CEO and CTO of Tenable Network Security. "However, if you look closer at these sorts of things, they often target the union of various compliance standards and not the aggregation of all checks."
2. Losing sleep over an audit.
"If you are losing sleep about passing an upcoming security audit, you've got the check-box compliance disease -- and it's probably rampant in your organization," says Lamar Bailey, director of security research and development for nCircle.
As he puts it, security standards are the point of embarkation for the risk-management journey. They're not meant to be the end-all, be-all for securing an organization. They just get you started. Organizations that have a hard time even satisfying these beginner requirements should lose sleep over how insecure their systems are, not whether the auditor will break out a rubber stamp.
"These standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game," Bailey says. "If you can't pass them with two hands tied behind your back, your need to quit and find another game."
3. Putting line-of-business managers through spreadsheet hell.
If you make line-of-business managers fill in voluminous review forms, your organization is probably on the compliance-for-compliance-sake bandwagon, says Jason Garbis, vice president of marketing for Aveksa.
"Many times, enterprises approach access compliance by manually creating and emailing large, complex, and unwieldy spreadsheets," Garbis says. "If you're asking line-of-business managers to review a jargon-filled spreadsheet with hundreds of rows, chances are that this is a check-box review."
4. Viewing penetration testing as a panacea.
With so many compliance regulations requiring a penetration test, unsophisticated organizations seeking to cover only their bases view pen testing as an all-purpose security curative. If you're an organization that seeks to use pen testing instead of monitoring or vulnerability management, odds are you suffer from check-box compliance.
"If a company wanted to do the bare minimum, they could hire unsophisticated penetration testers and, when they don’t break in, claim 100 percent security," Gula says. "Of course, this type of penetration test is not a substitute for a full audit."
5. Using tools geared for forensics rather than prevention.
Unduly focusing on monitoring tools for the sake of establishing audit trails, without ever thinking about attack prevention, is a strong signal that your organization has its head so far in the regulations that it has forgotten the reason they're there in the first place.
"Most compliance regulations do not have security enforcement restrictions; they mainly focus on monitoring," says David Maman, CTO of GreenSQL. "Having a monitoring system instead of a prevention system is a modern take on closing the barn door after the cows have gotten out."
6. Confusing logging and log storage with monitoring.
Nevertheless, monitoring still does have a place in the overall risk-management framework. The problem is that most organizations confuse logging and log storage with effective monitoring.
"It can be very difficult for any size network to have a reliable logging infrastructure, and this is required by lots of compliance regulations," Gula says. "However, getting logs is much different than analyzing logs and looking for evidence of attacks and abuse."
7. Overbuying to get a specific compliance-oriented feature.
If your organization spends significant amounts of dough on tools that duplicate security features sported by tools they've already purchased just so you can nab one specific compliance-focused feature, then that's a dead giveaway you've fallen in the chec-kbox compliance trap, says Marcus Carey, security researcher at Rapid7.
It happens all the time, Carey says. "You call up a vendor because they're the only one that does X that you specifically need to satisfy some specific requirement of the regulation," he says. "You discover you can't buy X alone, so you end spending six figures on a solution that duplicates most of what you already have installed."
8. Generating a low access revocation rate.
Making information accessible on a need-to-know basis is a security fundamental, which is why access reviews are often included within so many regulatory requirements. Unfortunately, though, most check-box compliance organizations perform these perfunctorily to cover their derrieres. So unless your organization is extremely mature in its security processes, if an access review doesn't yield many changes, it was probably done just to satisfy requirements, Garbis says.
"If an organization is doing a good job of meeting compliance goals, each review process should generate a not-insignificant number of changes that have to be fulfilled," he says. "If a review process generates a very low number of follow-up changes, it's likely that this was a check-box review."
9. Spending more on system maintenance than security operation.
Check-box compliance tends to lure organizations into tons of make-work projects, so that in the long run they end up spending more time maintaining systems they buy to check those boxes than they do in actually making sure the organization stays secure, Carey says.
"[These] organizations have to hire full-time employees dedicated to systems that don't work," he says, "so they have a huge capital expense, man hours, and consulting hours on something that is effectively useless."
10. Systems cause more audit problems than solutions.
In the same vein, Carey says these check-box-prone organizations also tend to see more audit problems come out of their compliance systems than solutions.
"I see misconfigured or poorly designed systems causing a nightmare for organizations trying to explain every false-positive to an auditor," he says. "It's unfortunate the solution they bought to pass audits can ruin them when they actually procure it. That's a double whammy."