Continued focus on compliance rather than effectiveness is driving the market

In a story widely reported last Monday, enterprise software giant EMC Corp. announced its pending acquisition of the private company Archer Technologies, a vendor of IT governance and compliance solutions. EMC plans to make Archer part of its Security division, which itself was primarily created through EMC’s acquisition of RSA in 2006. Among the most compelling aspects of this story is a statement by Art Coviello, president of EMC’s security division (RSA), who explained RSA’s market perspective as follows:

“Traditional security management focuses primarily on addressing technology issues, but our customers are telling us that their real challenges are in the areas of policy management, audit and compliance. You can’t manage what you can’t see. The Archer solution not only offers the visibility into risk and compliance that customers need, it brings stronger policy management capabilities to the RSA portfolio. The end result is customers are able to better manage their security programs and prove compliance across both physical and virtual infrastructures, and effectively communicate to the business.”(emphasis added)

So to take the word of a leading security vendor, what customers say they need is help with compliance. To call this unfortunate greatly understates the issue, but it seems that the consistent emphasis of legal and regulatory schemes on security compliance — rather than effectiveness — is driving the market in a direction exactly opposite of where it should be going. While both government and commercial sector security approaches have been slow to realize the deficiencies of compliance-based security, more and more emphasis is starting to be (correctly) placed on continuous monitoring and event correlation, often in the name of achieving greater levels of situational awareness. In light of these trends, it is disheartening if not surprising to hear that those obligated to follow compliance-based security approaches apparently now prioritize demonstrating compliance and passing audits over enhancing security. Let’s be crystal clear, being in compliance with a security scheme that doesn’t measure overall security posture or security control effectiveness tells you nothing about how secure you are. Unless and until the regulatory requirements are revised towards controlling risk, mitigating threats, and testing security effectiveness, security programs are hung out to dry, with compliance having the greatest business visibility (at least until a major breach, outage, or other security incident occurs). Security managers have a hard enough time justifying security investment in economic terms; as long as compliance is the most tangible goal then compliance approaches will continue to take precedence over less emphasized but more significant efforts to actually improve operational security.