Today’s rant is going to be about compliance based security vs. risk based security.
It’s easy for people just coming up in the field as I have been or people outside the enterprise environment to say “obviously risk based, protect your assets,” but as I spend more time in a corporate IT security team I see why so many companies structure their whole info sec department around what these compliance frameworks say: they are thorough, tightly regulated, and leave little budget and resources for other projects that a risk based approach would prioritize.
Take myself for example. I recently got a degree in IT security, obtained my CEH, have 1 year of experience in higher ed IT security, and do this stuff in my free time because I love it yet my main role is to ‘audit’ our company for HITRUST compliance. Which essentially means I sit people down with a spreadsheet of 20-100 controls and ask them if we do it or not. This boring, arduous task of tracking down and organizing the responses for about 900 controls across all aspects of the enterprise, is my main duty at the moment. I keep myself busy trying to insert myself into projects the IT Security team is doing instead of looking longingly over the fence from the business side of things.
I’m not touting myself as an expert L33t H4K3R but I feel like I’m being wasted. I find myself dreading everyday I have to go in and build dashboards or fill in excel spreadsheets but eagerly anticipating the days I get build a PoC for a sysmon deployment or write scripts to automate the repetitive tasks that plague the team.
I am currently trying to create and worm my way into a pen testing role, and it seems I may have my wish soon so fingers crossed. Even as a complete amateur who struggles to pull off much exploitation beyond nessus to metasploit modules or cracking passwords pulled off responder, I feel I would be a much grater asset to the company because every large company needs someone to fill the gaps of the once a year, or maybe twice a year pen tests (for compliance of course). While these assessments often provide valuable information on security issues in the environment, without someone to keep testing and help mitigate the vulnerabilities, they are often left unpatched and vulnerable.
I wish organizations could find a balance between compliance based and risk based security. While organizations usually try to know where their data is and the risk it faces, they often lack to resources to thoroughly track and control the terabytes of data flying across the wire. In my humble opinion the regulating agencies will need to compromise as well and at least loosen these frameworks and the rules around them to allow organizations to focus their resources on really evaluating their risk and understanding where their data is and how to best protect it.
The regulating agencies try to do their best to create a comprehensive list of controls but they try to apply to so many verticals that the list gets longer and longer and is more and more costly to the company. Especially these older, larger enterprises are already so far behind with their IT infrastructure, trying to force them to be more secure with strict controls is only making it worse and forcing companies to quickly cobble together solutions or spend exorbitant amounts of money to get a ‘certification’ (of bullshit).
I’m not cut out to be an auditor, I just wanna hack stuff.