Breaking out of the compliance mindset

During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant.

Difference in the group

Addressing security threats requires a new direction from the mindset that compliance equals security.

While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.

Use metrics to measure and improve security awareness

It’s no secret that data is revolutionizing industries. Baseball managers have applied data to buck century-old beliefs about strategy (think Moneyball), anyone who has ever used Amazon.com knows that data has transformed retail, local law enforcement analyzes data to predict crime, and scientists are even using data to stop the spread of infectious diseases.

Most security awareness programs fail to gather metrics. Those that do typically measure inputs instead of outputs. What this means is that many teams are measuring items such as the number users who complete a CBT course or attended a lunch instead of the number of incidents related to a specific IT risk area. This is akin to looking at the number of times I visit a dentist each year instead of the number of dental incidents (cavities, root canals, etc.) and using that data as an indicator of good dental health.