Compliance-driven approach to cybersecurity fuels security theatre

By Gary Jackson, Vice President for Asia Pacific, Tenable

India reported the second-highest number of cyberattacks in the Asia-Pacific region after Japan in 2020. One reason for this could be that several organisations in India view cybersecurity merely as a measure to meet regulatory compliance. According to data from PwC, 76% of Indian organisations did not make budgetary allocations for cybersecurity and those that invested in it did so to comply with the regulatory framework in the IT Act and guidelines by the Reserve Bank of India and Securities Exchange Board of India.

While compliance strategies are important for defining best practices, they don’t help an organisation quantify or assess risk. In other words, they serve as general guidelines but aren’t catered to the specific needs of an organisation. Compliance is surely necessary to meet legal obligations, but it cannot be the only measure for cybersecurity as all businesses function differently. Compliance is a relatively static summary of an organisation’s security status.

When a data breach occurs, the C-suite, rightly, needs to urgently know the scale of the breach, the timeframe for remediation and the immediate impact on the business. Compliance checkboxes do not address these questions in context to the business. In response, security teams may scramble to find solutions to fix the symptom of the problem instead of getting to the root cause.

Such an urgent response to a data breach is known as security theatre. And unfortunately, it is a reaction that we have witnessed too often. Security theatre, a term coined by security expert Bruce Schneier, is the practice of organisations or security teams, where superficial measures are implemented to create a perception of safety but in reality, do not address the underlying cause of the actual problem.

In the instance of a breach, some organisations may react by investing in security tools just enough to meet foundational regulations. However, throwing money at tools that do not actually focus on long-term measures only make organisations more vulnerable to cyberthreats in the future.

Therefore, a compliance-first approach to security is fundamentally insecure and organisations in India could unknowingly be victims of security theatre which will only prove to be costly in the long run. Identifying and eliminating security theatre can be the key to adopting the right cybersecurity strategy for your organisation.

Smoke and mirrors
The cybersecurity industry has long indulged in fear-mongering, resulting in organisations investing millions in tools that address security problems on a superficial level. For instance, some organisations invest heavily in anti-malware and antivirus software. These can detect known malware and viruses and their variants. However, when a new form of malware shows up, the software will not be able to detect it, rendering organisations defenceless.

The most important thing to understand about the threat landscape is that cybercriminals are not deterred by anti-malware and antivirus detectors. They go after the low-hanging fruit by exploiting known but unpatched vulnerabilities. Before investing money into tools that cover the periphery of the issue, organisations need to ensure that foundational cyber hygiene practices such as asset inventory, scanning and patching systems are met. Enforcing a strong password policy and a multi-factor authentication process and deploying encryption are additional layers of security that help prevent cyberattacks on a foundational level.

Inability to measure investments
When it comes to investing in technologies for cybersecurity, one basic question security leaders will get asked by business leaders is – How are we reducing our exposure over time? In many instances, organisations may end up investing huge budgets on tools without a way of measuring if their risk posture has improved.

An effective cybersecurity program should be able to measure success by risk reduction. Remediation actions should be prioritised to reduce the organisation’s cyber exposure. Security leaders should view, validate, and prioritise vulnerabilities critical to the business, while also understanding the context of the vulnerability. Patching and remediation are critical, but equally important are follow-up testing and quality assurance reviews. In doing so, security leaders should be able to provide clear reporting metrics and analysis of programme effectiveness.

Focusing on “headline” flaws
“Headline” flaws and the publicity around them attract the attention of the C-suite. This leaves security teams feeling pressured to respond to every one of those publicised flaws even though the threat to the business may, in fact, be low. A review of high-profile vulnerabilities in 2020 revealed that not every high-risk vulnerability was considered critical and conversely, not every vulnerability labelled critical should be seen as high-risk. With over 18,000 vulnerabilities reported in 2020, identifying and patching every single one of them becomes not only time-consuming and expensive but also impossible. It is crucial that security teams focus on business-impacting risks rather than perceived threats.

Security theatre is a false economy
Cyber risks evolve every day and organisations need to be equipped to understand external developments and incident trends, and at the same time be able to use this insight to formulate cybersecurity policies and strategies. Cybersecurity in India is largely driven by compliance. This is understandable because organisations have to follow a wide range of rules and legislations. It is, however, counterproductive to view cybersecurity through the lens of compliance alone. This will potentially lead to organisations falling prey to security theatre and organisations must break out of it.

CybersecurityTenable
Comments (0)
Add Comment