The Risks of 'Security by Compliance' - Interview with ISACA's John Pironti
In an exclusive interview, Pironti discusses:
In addition to his role with ISACA, Pironti is currently the Chief Information Risk Strategist for CompuCom. He has designed and implemented enterprise wide electronic business solutions, information security programs, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, government, hospitality, aerospace and information technology on a global scale. Pironti has a number of industry certifications including Certified in the Governance of Enterprise Information Technology (CGEIT) Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Information Systems Security Architecture Professional and (ISSAP) and an Information Systems Security Management Professional (ISSMP). He is also a published author and writer, and a frequent speaker on electronic business and security topics at domestic and international industry conferences.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group, revisiting today with John Pironti, Chief Information Risk Manager with CompuCom and a member of ISACA's Education Board. John, it's been about six months since we've spoken, it's good to talk to you again.
JOHN PIRONTI: Good talking to you, too, Tom.
FIELD: Here we are, year-end, going into 2009, and it has been an eventful year for one. What would you say have been the three greatest risk management and compliance issues that you've seen this year?
PIRONTI: You know, Tom, I think that is a great question. I think that the most interesting challenge we've faced this year is understanding what should we do first, what should we go after first. A lot of people are actually spending time working on compliance activities more than they are working on risk management security activities due to the release of the new PCI standards and some of the enforcement of PCI, as well as the data breach laws that keep growing in the United States, and the understanding that there now are global laws that need to be deal with as well like the E-Data Privacy and Data Security Acts.
So people are really starting to line up around the idea of trying to do what they think they have to do to make these external audiences, like the examiners and the regulatory agencies, happy and not so much focused on their internal risk-based approach to understand what they really should be doing to protect themselves appropriately.
FIELD: Now John, before we got on the phone you mentioned to me the topic of security by compliance. Could you explain what you mean by that.
PIRONTI: Absolutely. This is actually one of my biggest concerns right now in the industry on a global scale. We are spending a lot of our time in organizations focused on trying to meet the needs of regulatory or industry standard requirements. So we have regulations, and in this case industry standards such as the payment card industry standard, which has very explicit and very definitive technological requirements that organizations are expected to meet if they are handling card data; credit card data that is.
So a lot of organizations are spending their time, resources and efforts focused on meeting that checklist or developing checklists from the BITS groups from their FISAP conversations for vendor compliance. They are trying to make sure they are meeting all of the needs of the FISAP requirements, and they are not necessarily taking a risk-based approach that says what is really important in [their] world.
They are not feeling threatened on the analysis. They are not doing appropriate risk management and risk assessment. They are saying 'If I do the checklist, then I must be okay,' and that is really not a good idea. Because the checklist really only gets you part of the way there. It does establish a nice baseline. It does force us to do certain things better than we were doing before in some cases, but it also gives the adversary community a roadmap of what are you doing and where are you spending your time and where are you spending your resources, and they know that, and they are not going to hit you there.
FIELD: So what would you say are the top business risks of this security by compliance?
PIRONTI: I think security by compliance also equals complacency. I think that what you are finding is a lot of people are saying 'If I am certified for PCI, or if I'm meeting the needs of Sarbanes-Oxley or GLBA or E-Data Privacy or even ISO 27000 Series, that must mean I'm secure and that must mean I'm okay.'
So now people are getting a false sense that everything is okay. In the court of public opinion, in the real courts, if you have a breach, if you have a situation, even if you are compliant to these standards, it does not mean that you are not going to be held liable or accountable, and that is the law people don't understand at this point. They feel as though if they just do the checklist, then they are going to be okay. Unfortunately the checklist does not cover their reality of threats that exist today in the adversary community.
FIELD: Well you make a good point because we had the Hannaford Breach earlier this year where Hannaford comes out and says 'Well we were PCI compliant,' but there is not a single Hannaford customer that was violated that much cares.
PIRONTI: Right. PCI is going to be great when it comes to going into the courts when you are doing your class action suits or you are going to have the people fight and say we were compliant to the Standard, but then that is going to call into question whether the standard makes sense.
The PCI Standard has been a great thing for us in a lot of ways, and it has brought a lot of baseline capabilities to organizations that traditionally did not take a real focused approach to information security. But the technological guidance that it is requiring really is strangle-holding a lot of people into doing things that they really can't afford to or maybe should not do, and not spending time where they should.
So now we are going to have this question with Hannaford and they are going to say in the records that they were PCI compliant and they were certified as PCI compliant, and the question will have to be to the PCI Council: If they were compliant, then why did they have this exposure? And it was not that it was such a tremendously interesting technological exposure, it was an exposure that if done through a risk and threat assessment probably would have been understood and evaluated and may have been prevented if they weren't so focused on taking the checklist approach.
FIELD: Now John, I can understand the checklist approach from a financial institution's perspective because what they tend to do is react to what the regulators tell them to do. They are told to do "A," and they do "A." And especially now where financial resources are certainly hard to come by, it is hard to go beyond "A." What is the viable alternative to security by compliance?
PIRONTI: The real viable alternative is to be proactive. The idea is to take a risk-based approach and not a checklist-based approach. Understand for your world what are your best practices.
See, I can't tell you, nor can anybody else in the industry tell you, what a best practice is for your organization. I can tell you what a leading practice is. I can tell you what things we are seeing that are consistent amongst many people or many organizations. But only you inside your organization can decide what you need to focus on, what you need to do and what works for your organization, and what is going to actually provide a level of security.
The way that we approach this is we go through, and we do these threat and vulnerability analysis concepts of business processes, not just technology. A lot of people focus on technology. They focus on their patching and their anti-virus, but they don't focus on their data. They don't understand where their data is.
In fact, if you ask many organizations, they can't tell you on a regular basis where all their sensitive information is at any given time. And a clear example is to go to any executive who has a BlackBerry and ask them to see the email on that BlackBerry, and you will also find a lot of sensitive information on that BlackBerry, which may or may not make sense to be there based on the environments they are traveling in or the areas they are going in.
FIELD: That makes sense. Now I'm thinking in terms of a regulated industry like banking, credit unions, that sounds like something the institution really has to work with the regulatory body and the examiner to establish this risk profile and what they are going to focus on.
PIRONTI: Well I would say that the examiner handbooks that are coming out through the FFIEC Guidelines and such, they actually give us a lot of good guidance and they do ask you to understand how you are taking a risk-based approach.
And, I think Graham-Leach-Bliley in the United States really gave a great perspective in the 302 sections of the expectation with the regulators; that says you need to have an information security program and you need to understand the threats to your information, your customer information, and you need to have vendor compliance and an asset inventory, and that is a logical inventory of your data, of your customer information.
That is where I think we started seeing some great guidance that said 'We are not going to tell you the exact technology, we are not going to tell you the exact ideas; we are going to ask you to tell us what you are doing in your world to meet those needs and to demonstrate to us that you have an effective repeatable proactive and consistent way of assessing your threats and vulnerabilities and inputting that information into a risk assessment.'
FIELD: But it has got to fit your institution's risk profile is what you are saying?
PIRONTI: It's got to be your institution's risk profile. Everybody has got to understand what is the value they provide and what is the impact have upon other organizations? We are so global now ,and we are so interlaced with each other as organizations that we have to appreciate the fact that if one of our environments gets compromised, it actually can impact many other people at the same time.
So we have to take into account a lot of new variables that we didn't have to in the 80's and 90's when we were working from the four walls, a LAN and a mainframe conversation that said that the data will never leave; that the data will never be beyond these walls and will only be with trusted partners and it's never a problem.
Now we've opened up our environments so much that we have to appreciate not only our impact upon ourselves, but also our impact across the board, and also appreciate what are the acceptable risk levels. And the risk level is not something a typical security professional is going to be able to tell you. Actually a risk conversation, because you need to put in market risk, strategy risk, credit risk, finance risk. There are a lot of other factors beyond technological risk that has to be put in place to truly create your risk profile.
FIELD: Now John, you certainly spend a lot of time on the road and with different cultures and with different industries. Do you see leaders in this area, whether it is a particular region or a particular industry that is doing a good job of doing security by their own risk profile?
PIRONTI: Yeah, I'm happy to say that I think the financial services industry really has been ahead of this game for a long time. Mostly because they have been regulated around this area longer than almost anybody else, maybe healthcare being the second from a pharmaceutical and healthcare perspective has dealt with this.
But finance has always had a lead in appreciating information security requirements and risk-based concepts, and they are so good at calculating risks that they appreciate it more than do a lot of other industries. I think that a lot of other industries look to the banks and the financial services institutions to get guidance on how should they approach these things.
Unfortunately, with the economic downturns, we are seeing now and some of the experiences we are starting to see with organizations who are having to cut staff or reduce funding of activities, we have seen some of them pull back a little bit more to that security by compliance or security by checklist approach, which really is going to be a detriment to them in the long-term, though.
FIELD: Well that's interesting because that leads me to my next point. Going into 2009, we've got a Democratic President coming in and a Democratic Congress, and there is a realization that a democrat generally means more regulation and particularly now. What do you see as some of the major risk management compliance issues that financial institutions are going to be dealing with next year?
PIRONTI: Well I think that's a great point. I think as we are moving to a democratic leadership in the United States, traditionally we have seen more regulation whether or not we are having a good or bad economic season or situation.
We always see more regulation from democratic leadership, so I think that organizations are starting to gear themselves up to focus on the fact that they are going to see more regulatory requirements, especially now that information is becoming so valuable and the value is being so understood.
I think that we will start seeing the data breach laws, some of the loopholes with the use of encryption and things like that, are going to start being tied down and start being taken away, and I think that we are going to see more and more strict examination on a more regular basis that says 'Do we have appropriate asset tracking, do we know where the data is, do we have access, control and segregation, and do we have accountability and traceability for activities of people who are touching sensitive information within these environments?'
FIELD: John, from the ISACA perspective, what do you see as being some of the most in demand skills for financial institutions in security in 2009?
PIRONTI: ISACA has actually done a lot of great research recently, and some of the things that we are finding are that we are bolstering our educational requirements and our educational programs around compliance-oriented activities. Mostly because we realize that compliance is extremely important to organizations who all look at compliance as a concept and not as an individual regulation or standard. So they want to be able to get to a point where they can establish business as usual processes where they can be compliant all the time, versus having to set up special projects to do this on an individual basis.
So we are seeing this CISA and CISM designations getting a lot of traction in this area, and that is the Certified Information Systems Auditor and Certified Information Security Manager certifications are gaining a lot of popularity recently because these are the types of certifications and skills that are associates with certifications that the organizations are looking for to assist them in meeting their new regulatory requirements as well as their existing regulatory requirements.
FIELD: Now that you look around the industry, you certainly see a lot of turmoil these days because lots of banking institutions are laying people off. What advice do you offer for someone that is looking to start or to switch a career in information security in 2009? Where should they go?
PIRONTI: Great question. Well, the best place to start is to use the internet. Google is your greatest friend. Google is the greatest hacking tool available, and it's the greatest knowledge management tool available. What I often tell people is in this era of regulation and this era of compliance, starting to understand what those regulations are and what the people are doing to meet them is really the right approach. There are a lot of great White Papers and a lot of smart people out there who have written some really good documentation that talks about case studies of how organizations are meeting this challenge already.
We coined this term "governance risk compliance," and that is kind of a new buzzword from the analyst groups. If you think about it, this work it what we've been doing for 20 years already in IT we've just been shoring it.
I think if you start searching those types of sites and you start going to your site -- BankInfoSecurity.com is a great place I send many people to on a regular basis to learn more and to understand what are those regulations, what are the expectations that are supposed to be met to meet those regulations -- and then you can start mapping your skills and learning to understand how to help organizations achieve those goals better.
FIELD: The opportunity is certainly going to be there in 2009; security and compliance aren't going away.
PIRONTI: Absolutely. It is definitely increasing, and we definitely see more people in the recruiting world coming to us and saying that they are seeing more demand for people with our skills. The ISACA team is definitely seeing more interest in its education programs and seeing more interest in its certifications because these tend to be the certifications and the knowledge bases that are drawn to that type of knowledge.
FIELD: What is going to make a candidate stand out in these areas, John?
PIRONTI: A candidate to stand out in these areas really has to be able to talk about business. You need to be able to translate business and technology and technology concepts into business terms, and to really appreciate consistent methods and practices and how to access threat and vulnerability and risk and how the map to different compliance considerations.
Understanding just one regulation or just one technology is not going to get there. It is understanding the landscape of trend. Understand where things are going and what direction moving forward will definitely make a candidate stand out.
FIELD: That's well said. John I appreciate your time and your insights. Good catching up with you again.
PIRONTI: Thank you very much. Have a great day.
FIELD: I've been talking with John Pironti, Chief Information Risk Manager with CompuCom and a member of ISACA's education board. For Information Security Media group, I'm Tom Field, thank you very much.