IT Compliance Matures into Risk Management

by Rick Dakin, CEO, Coalfire

As Coalfire completes its 10th year, we are thankful to have worked with thousands of clients and countless IT security thought leaders. Together, we have seen rapid change, an evolving threat landscape, and we are now better prepared to defend against known risks. Not surprisingly, much of that progress is due to compliance-related investments. As we look to our next decade, we are taking a broader view of IT Governance, Risk Management and Compliance, and see it as a proactive risk management framework.

The modern, real-world threat landscape is dynamic. We have seen ingenious and well-orchestrated attacks on banks that caused seasoned executives to lose millions to cyber thieves engaged in wire transfer fraud. This system was established to meet minimum regulatory requirements for validating user identification and was left vulnerable by weak five-year-old passwords. A simple review of the risks threatening wire transfer accounts could have prevented the loss.

As the payment card industry reacts to increased enforcement of the PCI Data Security Standards, merchants are suffering staggering losses to credit card thieves. The regulatory requirements do not specifically mandate some of the controls and many merchants consider compliance with basic PCI test criteria adequate. Unfortunately, this is a false sense of security. In reality, simple system maintenance and secure data deletion can prevent much of the loss. Now we have an opportunity to learn from those mistakes.

I am happy to report that many of you are already taking proactive steps to augment your IT compliance programs with enterprise-level information risk assessments. These programs are designed to identify potential vulnerabilities and guide control modification in order to decrease the impact on operations and potential for data loss. Some of you have asked our audit and assessment teams to augment compliance testing with sophisticated penetration testing and mock social engineering attacks. This higher level testing provides a better understanding of the effectiveness of your controls and enables you to make better decisions about adjusting your security program.

We are humbled by the increasing sophistication of emerging threats, but the Coalfire team shares your optimism that we can fight back and win. Because many organizations are wisely choosing best practice measures that go beyond compliance, the time from threat identification to risk mitigation is getting shorter.