Regulatory Frameworks Must Adapt to Ensure a Line Can Be Drawn Between Compliance and Ability to Protect Data
You know, I always had disdain for the professors in high school and college who based part of their grade on whether or not you did your homework. It seemed like a way for them to look good without having to really validate the student’s knowledge of the material. I always felt homework was a means to an end. Shouldn’t I truly be scored on the end and not the means? (In case you haven’t inferred it, I was not a fan of homework.)
We’ve sort of taken the same approach to protecting data. We focus more on compliance than we do on the efficacy of the various measures implemented to become compliant. Is this because the cost of non-compliance outweighs the cost of failure to protect data? Absolutely. I’m fairly confident the folks at Global Payments proudly displayed their PCI compliance. While VISA originally pulled them from their compliance list, this is only until a forensic investigation can validate compliance.
Industry security standards, if they are to be of any value, must show that there is a correlation between compliance and results. Today, simply put, there is none. I recently reviewed a 2012 study detailing the state of security of patient data, produced by HIMSS Analytics. The report, now in it’s third iteration, points to some trends that ought to be driving change in the way we approach industry standards.
Again and again, respondents point to a significant bias towards demonstrable compliance, not effective data protection. Of those respondents who experienced a data breach in 2012, only 25% said the event precipitated changes to their organization’s security action plan. Yet 73% said changes to regulations such as HIPAA and HITECH drove plan updates.
So, how do we shift this dynamic? How can schemes like HIPAA and PCI actually result in reduced data breach rates? First, these standards must audit for institutional understanding of security policies and procedures. Statistics consistently point to the fact that most data breaches emanate from some internal resource. 45% of respondents indicate the biggest threat to the protection of data is a lack of staff attention to policy. By engaging with staff to gauge understanding, all certification does is validate the presence of a dusty binder on a shelf.
I wrote way back in June of last year about the need to develop a culture of security. As I have engaged with some of the largest financial services companies in this country, I can tell you therein lay the difference between truly secure organizations and those with a compliance check-list mentality. Those that have tirelessly worked to improve awareness and understanding amongst their employees and third-party contractors have seen positive bottom line results. Certifying bodies have got to develop a mechanism to measure the organizational uptake of these processes and policies; validate they’re part of the DNA of the organization.
Only then will compliance be a true indicator of an organization’s ability to protect our data. Please let me know what other ideas you have to help improve the impact of our regulatory frameworks.