The sinking of the RMS Titanic resulted in the loss of more than 1,500 lives—and it was entirely preventable. The crew had been warned of icebergs, yet continued at full speed, which was standard practice. And they only had enough lifeboats for roughly half the passengers, but they were in compliance with marine law. In fact, they had exceeded the minimum requirement by four boats.
Jumping ahead a century—and from maritime tragedy to cybersecurity disaster—the SolarWinds breach of 2020 was also a preventable failure of imagination. Many organizations are still recovering today, even though they were fully compliant with the Federal Risk and Authorization Management Program (FedRAMP) at the time and falsely assumed they were safe. In fact, a security patch many believed would make them safer was the Trojan horse that, when implemented, introduced a backdoor compromising thousands of networks.
Now, compliance in and of itself is not the problem. It’s a great start to show a company is meeting the threshold of security maturity, but it’s not enough. Frameworks are also important to help ensure all aspects of a security program are being considered. But again, they’re just a start, and won’t provide the prescriptive guidance a business needs to understand which security controls and procedures will work best for their unique case.
Focus on the Spirit vs. the Letter
Organizations must strive to abide by the spirit of the compliance framework rather than the letter of it. For instance, at a certain point it became a requirement to run annual penetration testing, but there wasn’t much specification provided about how you should go about it. So, as long as an organization runs a pen test once a year, in a manner of their choosing, they’re technically compliant. But are they actually complying with the spirit of that framework?
Blindspots will inevitably form if you just follow compliance requirements alone. And frameworks can ultimately limit your focus to the point where you’ve only protected the subset of your environment applicable for compliance. Therefore, you could be fully compliant—and have that illusion of safety—yet be vulnerable to any attack on an area not covered by compliance.
Set Compliance As Your BASeline
Security control validation is a key component of compliance requirements for many organizations. But there are differing opinions about the best way to test controls, including when it should be done, how often, and what tools are most effective to support the process. To ensure your security program is as mature as possible, work from the compliance framework as your baseline, and build upon it.
Regulations are guidelines that are generic enough to cover a wide variety of enterprises, but each enterprise has its own challenges. Hence compliance-regulated activities like point-in-time pen testing or red-teaming may not be sufficient. This is where automated, continuous security validation offered by breach and attack simulation (BAS) tools like the SafeBreach platform come into play. SafeBreach enables users to execute targeted attack scenarios across a wide variety of controls to optimize their specific set of configurations, pinpoint inefficiencies in their stack, and create a stronger security foundation for the future of their business.
Check out the recording of my recent webinar below to learn more about the limitations of compliance, and hear me out as I make the case for integrating BAS as a practical approach to supporting compliance within your security portfolio. And hopefully we can work together to transcend compliance to better avert threats (beware of icebergs) and remediate gaps (add more lifeboats).