Compliance security cultures are common in today’s cyber security environment. A proliferation of security- and privacy-related regulations, increased industry focus on secure operations, and growing customer and market demand for better data protection make compliance a valid concern for any organization that uses information technology. Firms that collect, process, or store people’s personal data, or that operate across national and regional boundaries, must often meet complex compliance requirements just to do business. For this reason, compliance is regularly cited as the single biggest driver of information security today.
What Is a Compliance Security Culture?
Compliance security cultures combine a desire for tighter control of security operations and activities with a focus on external stakeholders such as government regulators, industry associations, and customers or partners. These organizations score heavily in the top right quadrant of the Competing Security Cultures Framework model.
If your organization has a Compliance security culture, you may put a lot of time and effort into successfully passing security audits. Or your concerns may have more to do with your reputation and relationships with your customers, vendors, and even competitors. In either case, you are under scrutiny from outside, and the success of your cyber security program has a material impact on the success of your business. Failing an audit may result in fines or the loss of key business enablers, such as credit card processing. A security breach may negatively impact sales, growth, or profits as customers or partners abandon your organization for competitors perceived as more secure.
Because the costs of poor security performance can be so high, you may notice that your organization devotes a lot of resources and money to activities at the interface between your organization and the outside world. These may include audit functions, legal groups, or even marketing and PR. Wherever security must be explained and justified to an outsider, you can expect to see a flow of people, time, and budget. Documentation and standardization around frameworks will probably be familiar to you within this culture, as will goals centered on the repeatability of successful audits and the avoidance of inconsistencies, at least where external scrutiny is likely.
Core Values, Strengths, and Weaknesses of Compliance Security Cultures
Compliance security cultures tend to value very rational goals when it comes to security, built on the perceived expectations and demands of external stakeholders. It is typically not difficult to obtain senior support or budget for security systems and projects if the security team can demonstrate that a lack of resources would increase the chance that an audit will fail or a contract will be lost. In some regions and sectors, good security may even be equated with ethical business conduct.
Compliance security cultures can focus attention and drive budget and resources toward robust security practices. These cultures also usually enjoy the benefits of documentation, formal processes, and repeatable operations, as all of these are useful evidence of best practice should external stakeholders demand assurance. Organizations with Compliance cultures are better at understanding their place as part of a larger security ecosystem, rather than acting only for themselves or in ways that ignore the wider impact of their security practices on others.
However, the natural strengths of a Compliance security culture may turn to weakness and vulnerability when an organization confuses the evidence of good security with the reality of good security. Cyber security is an incredibly complex endeavor. Even the most extensive security audit can explore only a fraction of a firm’s operational reality. Organizations that slip from a Compliance culture to an “audit culture” stop being comprehensive and concentrate efforts primarily on “checking the boxes” or implementing controls they need to pass a test. In other cases, companies may oversimplify security and concentrate effort on a few areas where external scrutiny is more likely to occur, neglecting other sources of security risk.
Not every organization falls into these traps, but they are common enough that every Compliance security culture must be wary of them. When operational reality does not match what is “on paper,” confidence about real risks becomes a false sense of security. Several firms that have experienced major security breaches in recent years had, in fact, successfully passed repeated security audits leading up to the breach.
Where Do You Find Compliance Cultures?
Compliance security cultures can exist in any organization. They tend to be the dominant security culture in heavily regulated industries, where audits are more frequent and more intense, or in industries with close relationships to customers and suppliers that can be affected by bad security decisions.
Insurance – Collection of extensive data combined with onerous regulatory requirements means that insurance companies often exhibit strong Compliance security cultures in order to do business. The irony comes when an insurance company falls into the audit trap and ceases to manage security risks effectively, relying instead on checklists and controls, rather than pursuing the sort of actuarial data they use regularly for their core business.
Healthcare – Another highly regulated industry, healthcare has pioneered checklists and controls as a quality control for medical services. They are models for how checklist approaches can bring value and benefits. But in doing so, healthcare organizations are bolstered by a human safety culture with moral and ethical implications. In better healthcare security programs, tools of the medical trade, such as holistic evaluations, experiments, and an ethic of care, help avoid the traps Compliance cultures face. Yet many organizations have not seen information security keep up with other medical best practices, and they remain audit-centric in their security approaches.
Retail – Probably no single regulatory framework has been as influential on security as the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS originated with the private sector rather than from government regulators, but has since become the “standard that launched a thousand audits,” creating an industry within an industry for security products and services. Although any organization that processes credit card information has a PCI requirement, retail firms are especially affected. In some cases, information security within these companies is essentially synonymous with PCI, despite its narrow focus on systems dealing with credit-related data.