Regulations "are often written in response to a very specific or perceived risk that may or may no longer exist, has other mitigations or whose likelihood is so remote that it is a non-threat," Hildesheim says.
Overzealous Virus Scanning
Several years ago Proctor and other Gartner analysts were visiting a large credit union to discuss security strategy. The firm had just experienced a computer virus attack when a user had connected an infected PC to its corporate network and inadvertently spread the virus.
"So they created a blunt rule that said every machine the comes into the organization from outside had to have a full virus scan," Proctor says. "This was done at the security desk and it took two hours for each machine. When we showed up for our meeting we couldn't get in" because of the delays. "The meeting was cancelled because of this silly decision. And who knows how many pieces of the business were impacted because of this rule."
It likely had a negative impact on the organization's security posture because of increased resentment toward security, Proctor says. The solution, again, is to more clearly think through how compliance standards should be implemented and their potential impact on all aspects of the business.
Vulnerability Scoring and PCI
The PCI standard requirement for a "clean scan" is a huge burden on businesses, says Adrian Sanabria, senior security analyst at 451 Research. "It steals focus away from more effective risk-reduction work and encourages a dangerously false sense of security," he says. Earlier versions of the PCI security standards "required businesses to show that all vulnerabilities rated a 'CVSS score of 4.0 or higher' be resolved," Sanabria says. "This is a hugely labor-intensive process that yields very little return on security."
The key issue here is the ineffective nature of vulnerability scoring, Sanabria says. "The automatic score given to a vulnerability—provided it isn't a false positive—is often highly inaccurate," he says. "It is simply a best guess' without some extra work to factor in each organization's unique context. The vast majority of effort often goes into fixing vulnerabilities that aren't a threat at all, and potentially ignoring ones that could be critical, but were scored under PCI's threshold."
Many times larger organizations have a person entirely dedicated to coordinating tasks and obtaining clean scans, Sanabria says. "That's one person's time dedicated to a tiny fraction of PCI," he says. "Newer versions of PCI have tried to correct this issue by implementing a new requirement in which each organization applies custom rankings to each vulnerability that affects them. Now these organizations will have to dedicate a second person to the task of vulnerability management."
Sign up for CIO Asia eNewsletters.