A project manager just completed a cybersecurity project on time and on budget. He schedules the last meeting with his sponsor, the chief information security officer (CISO). While plugging in the beamer for his final presentation, he thinks back at those frenzied few weeks he went through and sighs in relief. Soon, he proudly announces, “We deployed this new process; we trained our people and we are now compliant with the new policy.”
The CISO looks at him and says, “You have done a great job.”
Now, pause that story for a minute. I believe this conversation is nonsense. Can you guess why? (And please, do not cheat by looking at the next paragraphs.)
Proving the absence of noncompliance is tough and only possible in rare conditions. In practice, the only thing we really know is that we do not have any evidence yet that demonstrates noncompliance. Depending on the efforts we put in to find noncompliance, we end up with a certain level of assurance that we may be compliant. And that is often the only thing we may ever hope for in our profession. Yes, that is a hard truth, but it is a tough world.
Coming back to our project manager, he should have said, “We deployed this new process and we trained our people. We then audited a random sample of X process executions and found no major defect. We reached the desired level of assurance that we are compliant with the new policy.”
That may appear like a subtle difference, but it is a profound difference. Noncompliance may be uncovered anytime. The project manager recognizes it. The CISO acknowledges it. Neither are lying to themselves. If the CISO does not feel comfortable with the level of assurance provided by the project, the CISO will ask for complementary controls.
So next time somebody tells you “we are compliant,” send that person this blog post.
Editor’s note: For further insights on this topic, read David Doret’s recent Journal article, “A Decision Tree to Objectively Determine Policy Compliance,” ISACA Journal, volume 3, 2020.