Compliance Does Not Mean Secure

Friday, August 26, 2011 @ 04:08 PM gHale

Meeting compliance is an important aspect for any company or agency. But the secret is, especially in the manufacturing automation industry, just because a company is compliant, it does not mean it is secure.

That topic came to the forefront last week when it became apparent federal government agency chief information officers deal more with compliance and checking boxes rather than truly focusing on cyber security and risk management, said a panel of cybersecurity experts Tuesday.

RELATED STORIES
ICS, SCADA Security Boot Camp
SCADA Hacking via Search Engines
Smart Grid Security a Top Priority
Secure Smart Grid Moves Forward

“Compliance is my worst nightmare,” said David Stender, associate chief information officer at the Internal Revenue Service. “If you’re really trying to be compliant you’re spending way too much money to achieve that,” he said at the MeriTalk event in Washington, D.C.

Real risk management means being prepared for an incident, as well as the impact of that incident on a system, said Peter Mell, a senior computer scientist at the National Institute of Standards and Technology. “As far as I can tell, I don’t know of anybody that’s doing risk management,” said Mell.

“The idea that we can create policies and comply with them, and achieve secured systems that stay secured is a complete fallacy,” said Mell. “Yet that is the daydream of the nightmare that we are living in.”

But Tony Sager, chief operations officer of the information assurance directorate at the National Security Agency, said compliance is, in fact, important. The problem is, compliance is misaligned with technology, he said. The goal should be to demonstrate compliance from what’s already being generated off of IT and current standards don’t make that easy.

Joe Jarzombek, director for software assurance in the national cyber security division of the Homeland Security Department, helps maintain the National Vulnerability Database. The database is a resource for proactive, continuous monitoring — an alternative to the reactive patching at the core of agencies’ cyber security strategies.

“We can tell you where, in advance, you would be exploited. So why is it that we’re not doing something about it?” asked Jarzombek. “Rather than simply waiting for people to tell you that you must do things through changes in policy and compliance management, we can actually take some preventative actions.”

Leveraging reporting and automation is a key element to creating secure networks going forward, said Sager.

“I hire and develop [cyber security] wizards for a living. There are never going to be enough of them,” said Sager. “We’ve got to automate more of this stuff so we can put the precious few humans we have on our really hard problems, not patching and configuration.”



Leave a Reply

You must be logged in to post a comment.