Not long ago I got into an argument with an information security (“infosec”) person about that dirty word we all love to hate, compliance <shudder>. This person’s position was that compliance does not matter and does not advance the state of security “at all.” Sadly, these anti-compliance opinions are remarkably commonplace and often have the inverse effect of what the individual really wants, buy-in from decision makers. The impact of anti-comp opinions on our organizations is pervasive, invasive, and overwhelming.
Non-techies are Technology Empaths
The organizations we work for echo our opinions on tech and infosec. So, if you espouse an anti-comp opinion, the employees around you, as well as those you support and train will begin to hold those same beliefs. For a large majority of the workplace, the infosec team operates with borderline magical abilities, which means that those who are not technically inclined will adopt the team’s opinions. Put simply, ask yourself a question: if you ran a company and your infosec team did not believe that compliance advanced the state of security, how much would you invest in data security; training; or infosec infrastructure? The answer is as little as possible, because if compliance does not matter to my infosec team, then why should it matter to me?
Data Breaches in 2015:
How many of you received a letter from Anthem, Premera, or Carefirst regarding the theft of your PHI from an unencrypted server? These three BCBS company breaches saw the loss of ~93million PHI records in the span of six months. In tandem with BCBS, the Office of Personnel Management (“OPM”) discovered catastrophic on-going breaches resulting in ~22 million stolen records, many of which were from top secret security clearance applications. From OPM to BCBS, over 105 million people have had their data stolen this year. The inevitable lawsuits stemming from those breaches will revolve around two primary questions: whether the entities failed to meet industry standards and whether they violated the law; a.k.a. compliance.
Audits and investigations:
Investigations are coming. If you had any doubts or questions about whether the federal government was committed to enforcement actions and audits, read my article on the New Normal of HIPAA breaches, audits, and enforcement. Quickly, the OCR is out there and coming for you whether or not a breach or theft occurs. The OCR plans on auditing 10% of every covered entity and 5% of every business associate, regardless of whether a breach occurred. Add to this ramped up investigatory presence the expanding range of penalties, both company and personal, and the case for compliance begins to crystalize. These efforts are not limited to the HIPAA sector either, the FTC recently released its “Start with Security: Guide for Business” that promises to be a foundation of the FTC’s legal efforts against companies who fail to meet the minimum thresholds of these guidelines. Simply put, no matter what sector you are in, government efforts and spending are ramping up, often at exponential rates, to ensure that organizations with data are in compliance with the law.
Compliance is your friend
Compliance is no longer a four-letter word relegated to the low rung on the budgetary spreadsheet next to birthday cakes and dry erase markers. Compliance departments are becoming larger, more robust, and increasingly well funded every year. What many anti-compliance advocates do not realize is that compliance does advance the state of security because it gives you a toolbox of legal authority to grab attention and justify spending on what matters to you: advancing information security within your organization. Not only is an anti-comp attitude unproductive, but it can literally impact your ability to do your job or even keep your job. Compliance means you, as an infosec professional, can get that buy-in on that project, tech upgrade, or conference you need to do your job. If you aren’t advocating for compliance in your organization, you should be, because its advocating for yourself.
It’s simple – advocate now, or pay later.
/s/ HH @LegalLevity