How many times have you heard a statement like this: “Compliance does not equal security!” You’ve probably heard it many times and you can recount examples from your own experience. There is a general implication that the regulatory bodies that impose requirements on organizations (be they public or private organizations) don’t truly understand cyber security. Compliance has taken-on such a negative connotation in the cyber security domain that one can feel safe in using the word with a measure of distain.
Even in the world of so-called performance-based regulation, when the auditors come to the door they look for evidence of compliance. In other words, if the auditors where in fact measuring performance, then all one would need to produce is evidence of no successful cyber attack. But, we know this is not the case. Performance is expected, yet it is compliance that gets measured.
Should we therefore simply throw compliance out of the window and focus on “true” security instead? Maybe not, as there are data to support the notion of compliance being a positive factor, as well as noted cyber security thought leaders such as Marshall Abrams and Donn Parker who tout compliance as something we can at least measure. A problem that tends to be overlooked is that an ideal “true” security that is sometimes stressed by various cyber security experts isn’t worth much if it cannot be empirically verified; it might then only reside in the expert’s imagination. But once that it can be verified, it must also be possible to state rules and procedures how to arrive at “true” cyber security. Such rules, procedures, and their empirical verification may then well be turned into compliance checking. The bottom line is, compliance is not necessarily a bad thing in itself. We just need to find a way to marry it with “true” security.
Given a cursory review of multiple cyber security standards and frameworks the conclusion seems obvious; the issue is not compliance per se, but compliant to what? If there were a standard or framework that truly led to a state of continuously improving cyber security robustness, that would be a good thing. If there were such a framework, then striving toward compliance would add value to the process rather than simply being a requirement begrudgingly met.
Imagine a cyber security framework with sufficient value-add that organizations would adopt it without being required to do so. As you might surmise, The Langner Group has developed just such a framework called the Robust Industrial Control Systems Planning and Evaluation (RIPE) Framework. RIPE is at once sustainable, measureable, and leads to continuous improvement in the cyber security posture of our most critical infrastructure while minimizing the cost. It’s the happy marriage of the potential for rigorous compliance checking with “true” cyber security.