We often hear about government agencies and their contractors achieving compliance with various cybersecurity frameworks, such as FISMA, NIST, IEC, SOC2, HITRUST, ISO, and OMB Memos. But does compliance equate to security? My easy answer is “no”: it’s what I call “compliant insecurity.”
The Illusion of Security
“Compliant insecurity” is a term for when a system or agency thinks they are compliant with these mandates but are not necessarily secure from hackers. This can occur because human attestation and risk analysis are prioritized over machine attestation and evidence of security. The result is a false sense of security.
A study published in Computers & Security found that compliance does not necessarily translate to security. The researchers found a disconnect between compliance and actual security, suggesting that regulatory compliance could lead to a false sense of security.
A casual glance at recent data breaches quickly disposes of the comforting narrative of “compliance equates security.” The narrative is simple yet potent: adhere to the prescribed checklist, and security is achievable. However, the reality is quite different, and the sometimes the distance between compliance and actual security is difficult to quantify. A facade of compliance often masks cybersecurity vulnerabilities, leaving government agencies and contractors in a precarious situation.
The Human vs Machine Dilemma
Human attestation and risk analysis can be subjective and prone to error. On the other hand, machine attestation offers objective, evidence-based security. By relying more on human attestation, we may be overlooking critical vulnerabilities that could be detected by machines.
An analysis published in OR Spectrum showed that machine learning algorithms can effectively identify network vulnerabilities, outperforming human analysts in certain scenarios.
While compliance with cybersecurity frameworks is important, it should not be the end goal. The ultimate aim should be to achieve actual security, not just to tick off boxes on a compliance checklist. This means prioritizing machine attestation and evidence of security over human attestation and risk analysis.
A great example of is adherence to NIST’s cybersecurity framework. While it sets a substantial foundation and must be considered “table stakes”, a Harvard Business Review analysis demonstrates that a checklist mentality could lead to a false sense of security.
The Cybersecurity Maturity Model Certification (CMMC) is making great strives towards a continuous cybersecurity approach that extends beyond mere compliance. It helps build a culture where security measures are proven effective through continuous machine-driven evidence rather than just human attestation.
It’s time to rethink our approach to cybersecurity in government contracting. Let’s move beyond “compliant insecurity” and strive for real, evidence-based security.
Reducing Compliant Insecurity
The following deck was presented live at the Federal Computer Security Manager’s Forum Offsite on Tuesday, June 20, 2017 at NIST Headquarters in Gaithersburg, MD. Flip through it to get a better idea of Top-down vs. Bottom-up Risk Governance and how to reduce Compliant Insecurity.