September 1, 2021

Compliance driving security?

Company I work with (critical infrastructure) does cyber heavily through the lens of compliance…. meaning compliance with federal regs dictate how we do cyber in a lot of cases. Let me say I totally understand that you have to comply. But doing cyber this way, I feel like we are giving the bad guys a blueprint on exactly what our security controls are and where our weak spots are. Am I crazy or is this more common than I think?



Super super common in anything that touches critical or federally linked systems. However remember the tenant of open systems security, meaning that even if the adversary has perfect knowledge of the network, your data is still safe through strong implementations of controls and processes. A lot of issues arise from half assing these controls and getting blown out due to those limitations. Also a lot of those control sets (800-53 in specific) have loads of system-specific and organization specific variables.


Well by that logic, implementing security standards like NIST would be more dangerous that not following NIST. That is far from reality though isnt it?

IMO: Its the other way around, following a compliance regulation means you have to implement a base ISMS framework, you HAVE to have vuln assessments, you HAVE to have a remedial plan, you HAVE to demonstrate a security posture improvement plan, which if left to an org itself would rather spend that money elsewhere than on security.

Lets take an example, Employees are the weakest link. An org implements some form of security education because of regs, changes are this “can” reduce phishing attacks, and if a TA knows the org educates employees, the TA low effort attempts will fail, he will need to up his game and move on to more effort attempts. How does awareness of the orgs compliance benefit the TA?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.