How do you define or measure the state of security within your organization? This is the age old question that business leaders and information security professional have been struggling with for some time. The many factors that determine one’s security posture can differ widely between organizations. There is no “one size fits all” that works for everyone.

Over the years, various security frameworks have been developed to assist with establishing a healthy security posture. Compliance benchmarks were introduced to measure organizations against a set of controls, such as policies and technical controls. However, none of these, taken alone, can guarantee a successful security program.

Many organizations with less mature security programs point to successfully passing their various compliance audits as indication that they are “secure”. While I am not going to argue that these standards are not worthwhile, they cannot be considered an exhaustive yard stick to measure a successful security program.

Compliance Activities

Security compliance audits are typically a paperwork exercise going through and reviewing an organization assessing whether a long checklist of security controls, policies and processes are in place.

While an organization can claim compliance with industry security standards, such as ISO 27002, or PCI-DSS, this typically reflects a single point in time where the organization successfully completed an audit.

These recurring audits typically involve an independent auditor conducting an assessment to determine whether the organization is “compliant” or “non-complaint” during the time frame when the audit was conducted. Specific controls that were found to be out of compliance are typically written up as findings for the organization to take action to mitigate or resolve to the auditor’s satisfaction.

These audits require a considerable amount of time from many resources across the organization gathering and submitting audit evidence. This often involves participation from HR staff, security analysts, system and network administrators, change control, and help desk personnel.

At the conclusion of an audit, you may find yourself wondering just how much all those hours of effort have translated into meaningful improvement of the overall security posture.

“True Security”

In contrast, security is an ongoing state, always adapting to keep pace with the changing industry landscape and evolving business requirements. It involves much more than completing a series of check boxes indicating that certain processes or technical controls are in place.

As information security professionals, it is very important that we use these compliance activities to turn items that are uncovered during the audit process into opportunities to make adjustments and improvements to our security program.

For example, an audit may evaluate that adequate event logging is enabled and retained. While providing the necessary evidence to the assessor, perhaps a security analyst discovered that logs from another tool, not specifically within the scope of the audit, were not being retained properly. While still able to fulfill the specific requirements of the audit, in the spirit of “true security” and maintaining a secure posture, it is important that this gap be tracked and a solution applied.

Our mindset must always be beyond just the audit controls, to what can we learn from the review process to improve the overall state of security.

Unless you have achieved 100% comprehensive security, which I’m certain does not exist anywhere, there are always valuable lessons to learn from compliance activities.  Otherwise, compliance will quickly become that time-consuming paperwork exercise that consumes considerable time without any meaningful impact on the organization’s security posture.

While compliance audits and activities have their place, and are important, don’t let them distract you from your important job of maintaining and evolving your security program.