Tenable Blog

Since April 2014, a new trend in security has experienced a meteoric rise, with headlines grabbed in both mainstream media and the tech press. Vulnerabilities, once the preserve of the researcher and defender, were suddenly thrust into the limelight when an OpenSSL bug was announced. Previously, the chances of a big security bug being discussed outside of our industry were low, the media being more concerned about the outcomes and impacts rather than the methods.

This is the second installment in my Drifting Out of Compliance series, taking a closer look at organizational approaches to compliance and the challenges of shifting from a point-in-time compliance mentality to a continuous compliance one. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security documented in compliance requirements.

We’ve all heard the saying about missing the forest for the trees many times, and network security professionals tend to “get into the weeds” when identifying and remediating threats. While it’s true that we can solve 80% of our network vulnerability issues by addressing the top 10% of our attacks, if we’re only looking at those top 10%, then we’re missing 90% of the forest. When we overlook so much, we lose visibility into some key indicators of possible compromise, and the big picture.

This is the first installment in a “Drifting Out Of Compliance” series where I take a closer look at organizational approaches to compliance, the resulting challenges that impact organizations’ ability to demonstrate point-in-time compliance, and the challenges of making the shift from a point-in-time compliance mentality to a continuous compliance one. A well thought out, risk based approach to establishing a comprehensive security program is the way to go, with compliance following as a natural result. A security first, compliance second mentality is ideal.