This article is part of a multipart series presenting the Jargon-Free Security Model. Part I introduced the model, while Part II discussed “Visibility,” and Part III presented “Control.” These two elements of “Visibility” and “Control” cover 95% of a typical security framework’s content. However, as a Chief Information Security Officer (“CISO”), you are expected to run a complete security program. As an executive, you must do much more than merely monitoring the environment and managing security controls. Additional management activities are critical to the CISO’s success, but technically focused security models neglect them. The Jargon-Free security model highlights these management aspects because the CISO or DIS operates a complete function within the company.
What’s wrong with “Identify, Protect, Detect, Respond, Recover?”
There is nothing wrong with a security team using that model or any other to manage their core function. A narrow focus on developing and implementing security controls and continually monitoring their effectiveness is entirely appropriate within your team. As an executive leader, you need to think about larger issues. The Jargon-Free security model helps the CISO define an approach and communicate outward to the executive team. Of course, your communication must address how you are meeting the core objective of protecting the enterprise. But focusing narrowly on the details of protection using the NIST Cyber Security Framework, for example, doesn’t provide any way to measure or communicate other aspects of your function, such as training, staffing levels, research and innovation, etc.
The Jargon-Free security model highlights additional elements not strictly related to implementing infosec controls. Though traditional low-level security models often ignore them, you cannot manage a security program without considering them.
Compliance = “Essential Busywork”
“Compliance” is the first of these additional elements. The compliance element collects all of the things you must do to meet legal, regulatory, or contractual obligations related to information security, especially if these activities do not directly contribute any other value to the business.
Controls required to achieve compliance may help secure the enterprise as a side effect. Conversely, the things you do to secure the enterprise may coincidentally help achieve compliance with external regulations. However, compliance controls encompass things you only do because you are legally required to do them.
To clarify this point, I’ll provide some examples from PKI. In PKI, there are technical security aspects, like key length, secure private key storage, the publication of public key status information, etc. But there are also governance aspects of PKI, such as a requirement to publish a policy in a specific format (described in RFC 3647) and to have a particular, designated governance body for PKI, the Policy Management Authority (“PMA”).
When companies deploy PKI for internal use, the technical security aspects are essential. You must store important private keys on special cryptographic hardware, and you must choose a secure public-key algorithm with a long key. These are crucial security controls that protect the business.
Equally, it is essential to have policies governing the protection and use of the keys. Documenting the policies is vital so that all stakeholders have a common understanding of the rules.
But there is no inherent requirement for you to use the specific format documented in RFC 3647. There is no inherent business requriement to establish a separate governance body focused exclusively on PKI.
Suppose you want external parties to trust the certificates you issue. In that case, you may have to provide those parties with a policy document in the RFC 3647 format, and you may need a distinct PKI Policy governance counsel. If you need to maintain a unique document in a specific form to comply with an external requirement, this is a compliance activity, not a security activity.
Compliance activity is “essential busywork.” It is “essential” because compliance failure can severely impact the business commercially, but it is “busywork” because there is little or no intrinsic value to the activity.
No one in the business will care if you succeed in successfully performing compliance activities; they will only care if you fail to perform compliance activities successfully.
The power of the “Minimum Requirement.”
The key to maintaining credibility when managing compliance requirements is to recognize and respect the minimum requirement. Your executive peers will understand that achieving compliance will add cost and complexity. They’ll realize that they need to accept the cost and complexity to capture a market or enhance the company’s reputation in an industry. They will not want to spend more to achieve compliance than the company will recognize in benefit from achieving compliance.
Arguing for investments that will help you exceed the regulatory requirements will only create a perception that you are out of touch with the business’s needs.
You can use an external requirement as a justification to invest in a necessary capability that will also deliver real security benefit to the organization, but you have to be very aware of the cost vs. the benefit. The company expects additional revenue because compliance can open a new market or provide a competitive advantage over a rival. They will also understand that there is a “cost of doing business” attached to compliance. If you want your peers to see you as a trusted security adviser, you should know the expected financial upside and ensure that your compliance controls don’t add more cost than necessary. Do not add more cost than the additional marginal income the company hopes to earn due to the compliance. If you can leverage existing investments to achieve compliance at no extra cost, you will be a hero!
The cost of compliance should be tracked and reported separately, and ideally, it should be flat or decreasing year over year. The CISO must carefully justify cost increases to achieve compliance in terms of increased ability to earn revenue or in terms of a natural cost increase resulting from the additional scale.
Compliance is not a “blank check.”
A key mistake that security people can make is to treat a compliance requirement as a “blank check.” From your perspective, a new compliance requirement may seem like a great opportunity to buy that amazing, expensive new tech that wasn’t approved in the last budget meeting. Resist the temptation! Remember that business people consider compliance as a “cost of doing business.” Your job is to help them minimize the cost so that the business maintains a profit margin.
Remember, if it helps the business’s security, it is “Visibility” or “Control.” If it is essential busywork that must succeed but adds no intrinsic security value, it is compliance.