Are cyber compliance requirements getting in the way of security?

Compliance mandates are often the result of a compromise between cost, ease of use and security. However, security may be traded away to meet budget or ease-of-use constraints, said Dave Archer, cryptography and multiparty computation research lead for security software company Galois.

“Security mandates are based on expectations about adversary capabilities, yet adversaries rarely limit themselves to the defenders’ expectations,” he said. Therefore, even well-conceived security mandates that are fully complied with can fail to provide security. Mandates can also fall behind the times, leaving compliant systems vulnerable.

Sometimes, ad hoc exceptions are made for systems that can’t meet security mandates, but that’s not a smart move. “The problem with this approach is that security mandates often form a web of protection,” Archer said. “Removing threads from that web without reconsidering the whole security picture often results in nonobvious vulnerabilities.”

When systems simply can’t meet existing security mandates, Archer advises developing new mandates from the ground up. “NIST offers a process for security assessment that flows from an understanding of adversarial capabilities, types and sensitivities of data or controls to be protected, and available budget,” Archer said. “Following this process, you can identify potential security risks specific to the system and then develop practices to secure the system against those risks becoming vulnerabilities.”