IT compliance leads to false sense of security

For many organizations, such as those in the healthcare and financial services industries, IT compliance is a requirement and simply a cost of doing business. Too often, though, we find businesses that are “compliant” – yet not secure.

This finding may be puzzling to some who read this article. How can a business be compliant and not secure? Isn’t that the point of compliance?

Most, if not all, of the high-profile data breaches making the headlines during the last few years involve one or more compliant businesses. Compliance does not, and never will, equal security (or safety). To illustrate the point, let’s compare IT compliance with the state of Tennessee driver’s license requirements, and then we will explore tips on how to implement secure practices which can be applied to both regulated and non-regulated companies.

Is your compliant network actually secure?

To obtain and keep a class D driver’s license in the state of Tennessee, you must provide citizenship documents, pass a written examination on the basic laws of the road and road sign knowledge, pass a vision test and, last but not least, pass a road test to demonstrate that you understand the basic rules of the road. Once you have passed all the requirements successfully, you will be the proud owner of a Tennessee driver’s license; you are compliant. With a valid license in hand, you are legally allowed to operate a motor vehicle, but that does not mean you will operate that vehicle in a safe and secure manner. If you violate the rules of the road and operate unsafely, you may be fined and/or your license may be revoked. Similarly, IT compliance is your license to operate within your regulated industry; it is a baseline requirement necessary to conduct business. “It’s important to remember that being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach.”1

So what steps can you take to determine if your IT function is operating in a safe and secure manner, with or without compliance? Let’s start by asking some questions about how IT security is handled within your organization:

  1. Does the firm have an information protection charter in place, and are employees made aware of it?
  2. Who is the single owner of IT risk for the organization (information security officer)?
  3. Is there a cross departmental group of leaders within your firm meeting on a periodic basis to take action on the implementation and application of the information security charter?
  4. Is there an information security framework in place?
  5. How are IT risk assessments handled within the organization? What, if any, standard(s) are you following?
  6. How is your organization responding to a particular threat making the news cycles?

Being able to answer these six questions is a great start! Unfortunately, I’m sure many readers are unable to answer one or more of the questions. I suggest that you start, or continue, asking these questions internally. If you are unable to obtain credible answers, there may be a serious, potential risk lurking in your organization. It could be time to bring in an external subject matter expert to help your organization implement and operate a safe and secure IT function.

I want to leave you with two takeaways to digest and act on today:

    1. In 2013, two days after Presidential Executive Order 13636 was issued, the Center for Strategic & International Studies (CSIS) produced a 12-page report titled “Raising the Bar for Cybersecurity.” In the report, Australia’s Defence Signals Directorate (equivalent of the NSA in the U.S.) found that more than 85 percent of cyber intrusions can be prevented by following the first four mitigation strategies listed in the “Strategies to Mitigate Targeted Cyber Intrusions”:
      1. Use application whitelisting.
      2. Patch applications.
      3. Patch operating system vulnerabilities.
      4. Minimize the number of users with administrative privileges.
    2. One year after Executive Order 13636 was issued, the NIST Cybersecurity Framework was developed and released to the public. Of the many different compliance/security frameworks available, this security framework is simple enough for any business to implement no matter where they are in their IT security maturity.

If your firm is looking for an expert to advise you in the area of IT security and IT governance, please reach out Kraft Technology Group. We are here to help.

1 “Compliant does not equal protected: our false sense of security,” Oct. 22, 2015,

Search Site

Search Team

Search Articles