Industry Perspectives

For State and Local Governments, Cyber Compliance Doesn't Guarantee Security

PCI compliance didn't spare a major retailer from a massive hack that stole 40 million customers' credit card records. And complying with HIPAA regulations governing health record care information, didn't prevent a major insurer from suffering a breach that affected the nearly 80 million people's personal medical and financial information.

Keeping up to date with regulations is certainly important. But merely complying with security regulations doesn't guarantee organizations are actually secure.

In an ever-changing threat environment, true security depends on minimizing cyber risks rather than checking all the right boxes.

State and local government organizations often prioritize compliance at the expense of other security measures. To be fair, it's tough to blame them. Failing to comply with numerous security regulations can trigger audits or make a public entity ineligible for federal funding or grants.

But state and local leaders shouldn't let satisfactory compliance report cards lull them into complacency. A clean bill of compliance health at one particular point in time doesn't ensure that an organization hasn't fallen out of compliance after a month or two.

Even if an organization maintains perfect compliance, security controls are inherently designed to thwart yesterday's hackers -- not today's or tomorrow's. Security officials who assume that complying with outdated regulations will prevent breaches are like generals who prepare their troops to fight the last war.

A proactive approach to cyber security relies on multiple facets such as: security program assessments, incident response readiness, and control frameworks. Furthermore, there is no substitute for good threat intelligence to provide visibility into the dark space compliance overlooks.

Unlike static compliance checkpoints, security program assessments give decision makers quick feedback on an organization's current cyber risks. Understanding where their organization is vulnerable enables leaders to redirect resources to protect their most valuable cyber assets.

Control frameworks, such as the ones developed by the National Institute of Standards and Technology and the International Standardization Organization, are models which help government entities assess their current responsiveness to threats. Equally important, the frameworks help organizations identify what they need to change to minimize risks.

Organizations can no longer simply comply with security regulations and hope for the best. Hackers are too adaptive. To prevent successful attacks, state and local governments must be equally flexible and counter tomorrow's threats with risk-based security measures.

Update: An earlier version of this post included a reference to a reported breach at the California DMV. According to a spokesperson from the California DMV, following a 3rd party investigation there was no evidence of a breach.