When Security Leads, Compliance Follows
Agencies that focus on securing their information technology systems rather than compliance line items by design will be operating in compliance with federal mandates. That’s the advice of one cybersecurity expert who has experience working in both the public and private sectors. In fact, Paul Reymann, chief executive officer, Reymann Group Incorporated, is one of the architects of the Gramm-Leach-Bliley Act of 1999 and the Federal Information Security Management Act of 2002 (FISMA), so he is particularly versed in advising organizations—both private and public—about new information security legislation currently under discussion in the U.S. Congress.
Reymann believes public and private institutions should be paying attention to three areas: situational awareness of their networks; security; and compliance. In its simplest form, personnel within companies and agencies should know their roles in information assurance at the organization and have real-time situational awareness of the activity on their networks. In the past, Reymann points out, this was difficult if not impossible to accomplish. However, technologies that automate log management and security information management are now available that facilitate situational awareness. In addition, National Institute of Standards and Technology (NIST) standards, which continue to evolve, provide organizations with the knowledge they need to enhance their systems' security, he states.
When Reymann speaks of security, he is specifically referring to the essence of FISMA. Numerous U.S. Government Accountability Office (GAO) reports over the years about government organizations' FISMA compliance have indicated that most agencies scored poorly, or many times even flunked, in terms of the information security the act requires. In many cases, the overall failure can be tracked back to agencies' concentrating on compliance rather than on security.
Reymann emphasizes that organizations need to shift their focus. "If you do security right, it will lead to compliance by default. But if you focus on compliance, it does not necessarily lead to security. We have to get people to flip that around and get them thinking about security first," he states.
But Reymann's advice is not that organizations ignore compliance. Currently, several bills have been proposed in Congress that focus on additional security and will require compliance. Among the bills are the Cybersecurity Act; the Cyber Enhancement Act; the Information and Communications Enhancement (ICE) Act, also known as FISMA II; the Data Breach Notification Act; and the Data Accountability and Trust Act. In some cases, if the person in charge of an organization’s information security doesn’t have the appropriate certifications, it could be held liable.
The legislation under consideration share five common elements, he explains. They increase NIST's role in creating standards, including performing a formal risk assessment of systems. They call for licensing and/or certification standardization to promote a culture of security and ensure that information security professionals are properly trained. The acts also focus on certification of the commercial products agencies put into their infrastructure. Regarding FISMA II, Reymann states that it is unclear whether this act will simply turn up the volume on security rather than compliance, or it will be a total rewrite of the original law. Finally, these pieces of legislation indicate the need for automated and continued security through situational awareness of agencies' information systems.
To ensure that their organizations comply with current and future security regulations, Reymann suggests that information security personnel review the proposed rules and think about them in the same way golfers should look at a golf course. To take the best shots, golfers should think about what the course designer’s intent when creating the course. If instead they decide to hit the golf ball using their own style, it may land on the green with the eventual chance of hitting par, or the ball may head totally off course. Golfers who think about what the course's designer had in mind are more likely to choose the right club and hit the ball in a manner that enables them to shoot par—or even under par. Likewise, "security professionals should think about what the authors of compliance mandates have in mind," he maintains.
Overall, Reymann believes that not enough control is in place to protect citizens from cyberthreats. Oftentimes, these vulnerabilities can be caused simply because security professionals may have fulfilled a compliance requirement; however, without understanding the requirement’s purpose, the safeguards are inadequate.
Those in charge of information assurance at agencies as well as companies must recognize that compliance mandates are written from the 50,000-foot view of information assurance. In part, the lack of system security is because regulators and the regulations themselves speak in such generalities. Instead, security personnel need to know specifically how to protect systems, he emphasizes.
When examining agencies for information security compliance, organizations such as the GAO want to know more than how much money was spent on securing systems; they're interested in knowing the specifics. This means that the person who is in charge of an organization's information security must be a subject matter expert rather than an employee who has many other primary duties with information security piled on top of them.