Does compliance = security? The answer to this question is not necessarily black and white.
Though many have expressed the opinion that NIST provides a false sense of security – it could be argued that the intent of NIST guidelines are not to be the only point of reference on which to base your security posture. Are you using NIST as a checklist to do the bare minimum – or are you using it as a framework to approach a large, complicated challenge in an organized manner? Are you performing thorough automated and manual testing on your environment on a regular basis, or are you just hoping your defenses hold up until your next assessment? Mindset can make or break the effectiveness of a framework. And doing the bare minimum when it comes to implementing security controls just to get an ATO can prove catastrophic for your cyber resiliency.
According to Ron Ross, a NIST fellow, this debate is frustrating. “You get this false argument that you are compliant but not secure. No, compliance does work.” Ross went on to say “Compliance has to be thought of not as a checklist but as implementing a good risk management program and approach to all of your information technology assets, all your systems and networks.”
Advances in technology lead to new attack surfaces almost daily. Framework and security control updates, however, are not done in real-time. Awaiting specific guidance to address threats and vulnerabilities, therefore, is firstly not the intent of this guidance, and secondly an easy way to set yourself up for failure. Unfortunately, the reality is a reactive approach to security in which system owners aren’t addressing issues until required to do so by a guidance update that their organization pushes down on them as a requirement.
On top of that, we can’t always stay ahead of the unknown. For every cyber professional in the US, there are multiple adversaries overseas trying to beat them to the punch. Unfortunately, if a breach occurs in an ATOed environment – people will be quick to blame NIST. Accountability must lie with the System Owner who decides how to implement security, while NIST is simply providing a guideline as to what should be implemented.
What are your thoughts? We would love to hear your opinion.
Spread the Word