Are you up to code?
Sunday, February 24, 2013 at 12:34PM I've been doing a whole lot of talks lately about HOW TO PASS A SECURITY AUDIT. All too often, I get called into customers after they've failed an audit. Recently I received an invite to speak with a customer who knew they were woefully unprepared. They think they know what they need to do. And sometimes it's surprising when people in a particular industry, who presumably are paid to know the regulatory rules for said industry, don't understand the actual nitty gritty of those regulations. They've read the docs, but haven't translated that into duties and responsibilities (which are similar yet different) that can be understood by the people whose job titles or descriptions include those duties.
As I've written before, security is NOT compliance, and vice versa. You can be compliant, but still be unsecure. Likewise, you can be relatively secure (remembering that nobody is ever completely breach-proof) and still fail an audit.
But people confuse these two all the time, and don't understand where security and compliance overlap and where they are irrelevant to each other.
Too often I'm also asked to help with "compliance reporting." And I remind folks, reporting is not compliance either. It tells you after the fact that you've been compliant, and provides what auditors call "evidence of compliance." But reporting is the thing that comes afterwards. Security and compliance are the things you're providing every minute of the day.
The attendance at these speaking events, and the questions afterward, indicate the intense interest in the subject. But still there is a lot of uncertainty out there. In a sales cycle with a utility customer a handful of years ago, I beat the competition, who showed up and said, "here's our junk," by saying "here's MY junk and how it helps you with NERC CIP." I then became that customer's education program on NERC, because they hadn't established one yet. They conceded that they had all the documents on NERC CIP, but hadn't figured out how to translate them into tactical, day to day activities.
Everybody knows they're supposed to be compliant, just as they know they're supposed to be secure. They just aren't always sure how to get there, and how to use the same efforts in some cases to achieve both.
Next time, I will summarize the kinds of assets, processes, and knowledge base you need to pass a security audit AND bolster your security at the same time.