Compliance Isn’t Security—But It Helps

Den Rise/Shutterstock.com

For more secure networks, federal IT teams should balance compliance exercises with risk management strategies.

It is all too easy for government IT professionals to confuse compliance with security, but those two concepts are not necessarily equal. For instance, agency IT teams can diligently follow the NIST Cybersecurity Framework, checking off all of the necessary boxes comprising the core structure and reporting results as required, and still fail to be truly secure.

Indeed, Merriam-Webster defines “framework” as a “conceptual structure of ideas.” That’s an adequate description of the NIST framework, which is only meant to serve as a baseline for a good security posture, not the security posture itself.

Security Complacency Exists, Despite Rising Threats

We wanted to explore this a bit more, so we asked respondents to our latest Federal Cybersecurity Survey if they thought that being compliant meant being secure. Seventy percent stated that being compliant does not necessarily mean that their agencies are secure. Meanwhile, a majority (54 percent) responded, “Security regulations and mandates lead to complacency since tasks are performed to ‘check a box.’”

The good news is that teams understand the difference between simply following regulatory guidelines and achieving true security, but complacency is worrisome (though not really surprising). These people have a lot on their plates, with limited time and budgets. Survey respondents are most concerned about the security threats from careless and malicious insiders, a data point that could be linked to the increasing complacency within agencies.

Still, Federal Agencies Are More Proactive When It Comes to Security

Our survey did show some very positive signs, too. A majority of respondents (75 percent) believe that, when it comes to security, federal agencies are more proactive than they were five years ago.

Rather than taking a traditional, reactive stance to security, IT professionals have implemented strategies to mitigate those threats before they occur. For example, agencies have invested in a wide range of tools to help them fend off attacks. According to our survey respondents, the three most popular of those tools are endpoint security software, network administration and control solutions, and configuration management software.

While Compliance is Not Security, It Helps with Security

Sixty percent of respondents agreed that “compliance has helped my agency improve its cybersecurity capabilities.” Clearly, the mere act of striving for compliance has caused agencies to become more secure. The existence of government mandates are causing agencies to implement some measure of security protocols, even if those protocols offer the bare minimum required by things like the NIST Cybersecurity Framework and HIPAA.

What does true and complete lockdown security look like, then? According to survey respondents, the answer is a combination of compliance and proactive risk management. Sixty-eight percent of respondents stated that “implementation of relevant standards is critical to achieve our cybersecurity targets,” while 62 percent agreed that “agencies that merge and balance both risk management and compliance are more likely to avoid IT security issues.”

To strike this balance, federal IT teams should engage in a few core strategies:

Establish security goals. The ultimate goal is “no breaches,” but there are goals within that goal. For instance, agencies may wish to mitigate the potential for careless or malicious insider threats. Alternatively, they may opt to focus on filling security holes caused by IT modernization (66 percent of respondents stated that network modernization has increased their security challenges).

Train employees from the top down. Respondents indicated that one of the key stumbling blocks to providing evidence of good IT controls remains insufficient IT and user training. Due to gaps in training, a significant number of IT professionals are ill-equipped to respond to and remediate security issues, while users simply do not understand the threats and their impact. This indicates that education must continue to be at the forefront of agency’s cybersecurity initiatives. Users must understand the roles they play in keeping their agencies protected, and administrators must understand the threat signs and the tools they can use for rapid response and remediation.

Adopt the correct solutions to address security challenges. Tools cannot replace knowledge, but they can certainly make IT professionals’ lives a lot easier. Implementing security solutions that can automatically detect and remediate network anomalies—including inappropriate network access from potential intruders, rogue devices, and possible distributed denial-of-service attacks—can decrease downtime and offer a solid protection layer.

Regardless of the steps they take, agency IT professionals must always remember that every agency is different. The needs of their agency may not necessarily mirror the needs of another. Thus, compliance with a set of federal guidelines is not necessarily going to equal the best possible security posture. Agency teams must craft their own security programs on top of these government-mandated foundations to effectively meet their own unique cybersecurity goals.

Joe Kim is executive vice president of engineering and global chief technology officer of SolarWinds.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.