Let me start out by saying that I have a bias against regulatory compliance standards; especially those that are non-specific, not prescriptive, require voluntary cooperation for information gathering, and allow auditors to pass judgment on adequacy with little oversight or discussion.
My passion has always been for implementing real security and to always be aware of the latest threats and mitigations. There is a definite place in the business world for operational standards such as segregation of duty, four eyes transactions, and workflow approvals, as well as attestation of privilege.
I have also believed that the government has a place in setting standards for many things including appropriate national security and financial standards. But, for a standard to be effective, it must be specific, easy to measure, and have clear penalties for failing to comply. Some Federal and State standards are good, others seem to be a concerted plan to mow down large swaths of forests to print paper documents of little to no value for the citizenship.
What’s New About NIST?
The recently announced NIST framework is a lot of useless and redundant verbiage that collects existing standards that have existed for at least a decade. There is nothing fundamentally new, revolutionary or even effective in the framework. One should ask the question: was Target compliant with all of these standards? The answer is most probably yes, given that they had top notch auditors following most all of these guidelines and frameworks.
So then, how did Target suffer such a devastating loss given its compliance? Target failed to implement security, but chose to implement audit compliance. Security provides real protection (but requires constant investment, training, and the latest tools/skills) and audit compliance generates paper and makes money for auditors, as well as providing a virtual get-out-of-jail card (which is not going to work for Target).
The real truth about security standards/frameworks is that hackers and nation states don’t care about the security frameworks, and given that they are generally toothless in nature (no one is enforcing them with fines for non-compliance) and the fact that they are completely generic in nature, they are effectively worthless and ineffective. Target was PCI-DSS compliant (another security framework), yet they did not implement the basics of security (changing passwords and controlling access to their networks).
The frameworks don’t force companies that are naïve about security or just cheap about the necessary investments, to get smart and invest appropriately. Generally fines and other penalties are about the only things that get companies to fix their security.
Security frameworks such as the NIST guidelines are pretty much self-employment documents for the large auditor firms to generate more revenue, more confusion, more fear, but not deliver security. The standards (they are really too vague and unenforceable to be called standards) effectively create a new set of places to charge customers for arbitrary judgments as to what is “good security” and “adequate”; while criminals are breaking in where they want to and when they want to.
Ask Target how well security framework standards like PCI-DSS helped them? The answer is obvious if you had to get a new credit card or reset your email password. Security frameworks are no substitute for intelligent and vigilant security staff, technology and processes.