Compliance Isn’t Security—But It Helps

Den Rise/

For more secure networks, federal IT teams should balance compliance exercises with risk management strategies.

It is all too easy for government IT professionals to confuse compliance with security, but those two concepts are not necessarily equal. For instance, agency IT teams can diligently follow the NIST Cybersecurity Framework, checking off all of the necessary boxes comprising the core structure and reporting results as required, and still fail to be truly secure.

Indeed, Merriam-Webster defines “framework” as a “conceptual structure of ideas.” That’s an adequate description of the NIST framework, which is only meant to serve as a baseline for a good security posture, not the security posture itself.

Security Complacency Exists, Despite Rising Threats

We wanted to explore this a bit more, so we asked respondents to our latest Federal Cybersecurity Survey if they thought that being compliant meant being secure. Seventy percent stated that being compliant does not necessarily mean that their agencies are secure. Meanwhile, a majority (54 percent) responded, “Security regulations and mandates lead to complacency since tasks are performed to ‘check a box.’”

The good news is that teams understand the difference between simply following regulatory guidelines and achieving true security, but complacency is worrisome (though not really surprising). These people have a lot on their plates, with limited time and budgets. Survey respondents are most concerned about the security threats from careless and malicious insiders, a data point that could be linked to the increasing complacency within agencies.

Still, Federal Agencies Are More Proactive When It Comes to Security

Our survey did show some very positive signs, too. A majority of respondents (75 percent) believe that, when it comes to security, federal agencies are more proactive than they were five years ago.

Rather than taking a traditional, reactive stance to security, IT professionals have implemented strategies to mitigate those threats before they occur. For example, agencies have invested in a wide range of tools to help them fend off attacks. According to our survey respondents, the three most popular of those tools are endpoint security software, network administration and control solutions, and configuration management software.

While Compliance is Not Security, It Helps with Security

Sixty percent of respondents agreed that “compliance has helped my agency improve its cybersecurity capabilities.” Clearly, the mere act of striving for compliance has caused agencies to become more secure. The existence of government mandates are causing agencies to implement some measure of security protocols, even if those protocols offer the bare minimum required by things like the NIST Cybersecurity Framework and HIPAA.

What does true and complete lockdown security look like, then? According to survey respondents, the answer is a combination of compliance and proactive risk management. Sixty-eight percent of respondents stated that “implementation of relevant standards is critical to achieve our cybersecurity targets,” while 62 percent agreed that “agencies that merge and balance both risk management and compliance are more likely to avoid IT security issues.”

To strike this balance, federal IT teams should engage in a few core strategies:

Establish security goals. The ultimate goal is “no breaches,” but there are goals within that goal. For instance, agencies may wish to mitigate the potential for careless or malicious insider threats. Alternatively, they may opt to focus on filling security holes caused by IT modernization (66 percent of respondents stated that network modernization has increased their security challenges).

Train employees from the top down. Respondents indicated that one of the key stumbling blocks to providing evidence of good IT controls remains insufficient IT and user training. Due to gaps in training, a significant number of IT professionals are ill-equipped to respond to and remediate security issues, while users simply do not understand the threats and their impact. This indicates that education must continue to be at the forefront of agency’s cybersecurity initiatives. Users must understand the roles they play in keeping their agencies protected, and administrators must understand the threat signs and the tools they can use for rapid response and remediation.

Adopt the correct solutions to address security challenges. Tools cannot replace knowledge, but they can certainly make IT professionals’ lives a lot easier. Implementing security solutions that can automatically detect and remediate network anomalies—including inappropriate network access from potential intruders, rogue devices, and possible distributed denial-of-service attacks—can decrease downtime and offer a solid protection layer.

Regardless of the steps they take, agency IT professionals must always remember that every agency is different. The needs of their agency may not necessarily mirror the needs of another. Thus, compliance with a set of federal guidelines is not necessarily going to equal the best possible security posture. Agency teams must craft their own security programs on top of these government-mandated foundations to effectively meet their own unique cybersecurity goals.

Joe Kim is executive vice president of engineering and global chief technology officer of SolarWinds.