Information security trust and outcomes : a case study of compliance in a complex system
As recent high-profile data breaches illustrate, an organization that complies with information security control frameworks can also suffer from successful attacks and the subsequent erosion of trust. Information security frameworks used in the federal, payment, and health care industries use a core catalogue of security controls to standardize practices and facilitate assessment. In theory, an organization implementing these standard controls and practices would maintain sufficient security to protect sensitive data. However, these catalogues of controls require resources to implement and change slowly compared to the evolution of technology and threats. Viewed as a static set of rules in a dynamic complex system, the implementation of catalogues of controls may not create predictable outcomes, or act as reliable indicators of the quality of an organization’s security program. I used a case study approach to analyze an organization’s security outcomes during a period when control catalogue implementation transitioned from a best practice to a regulatory mandate I analyzed the organization through the perspective of a complex adaptive system, identifying the complex properties of the organization and its information security team as they endeavored to ensure strict compliance with the control catalogues. I collected data on factors related to the organization’s security outcomes, as well as finances, strategy, and governance. Despite significant changes in IT intensity, strategy, and corporate leadership, the security outcomes faltered and recovered, as emergent processes evolved from the dynamic environment. The compliance results, however, were ambiguous. The formal third-party compliance assessment presented outcomes that overstated the impact of isolated controls from the catalogue, while failing to highlight the broader issues related to organizational risk. This prevented the compliance assessment from representing the true state of security of the organization’s systems. I conclude that the current method of assessing the quality of an organization’s information security program against a control catalogue does not provide sufficient information to establish meaningful trust between organizations. Alternate method that requires a broader perspective of risk may improve the reliability of assessments and provide a more meaningful method to communicate trust.