Intelligent Compliance as a way to avoid cognitive distortions when building SMIBs

Maxim Annenkov, Security Vision

People in general are susceptible to cognitive distortions, that is, distortions in the perception of information or events. For example, one such distortion is ‘confirmation bias,’ where people tend to seek out and interpret information in a way that confirms their pre-existing beliefs. Another example is the ‘selection effect’, where people make choices in favour of information that confirms their preferences, ignoring other possible options.

Because of cognitive distortions, we can make individual companies or even entire holdings dependent on the subjective perceptions of decision makers. This problem exists in every aspect of an organisation, but in this article we will look at how relevant it is to the field of information security and how paper security can be a useful tool in combating cognitive distortion.

Problematics

In today's world of information security, it's easy to get carried away by the pursuit of new technologies and trendy data protection techniques. By reading scary bright news and reviews, one can form a budget for the purchase of the hippest NWIs. With this approach, a company can be ‘protected’ by the latest NG-, AI-driven, All-In-One data protection systems, but it will not be built processes of elementary access differentiation or backup. As a result, an encryptor received by an employee unaware of cyber hygiene will stop the work of such a company for an indefinite period of time, despite all the fancy products protecting the infrastructure.

At the other extreme may be a situation where decisions are made largely based on experience gained within the local CISO's area of expertise. In this case, it depends on which branch of IS this CISO comes from. So, for example, if he has built his career in incident response, he will pay more attention to reactive measures, neglecting preventive ones. Until he is faced with an incident that is brilliantly investigated but has already caused significant damage to the company.

Compliance exists to help avoid the problems described above. Unfortunately, this process has a persistent stereotype of ‘Paper Safety’ that has no connection to reality and is only done to meet regulatory requirements. It's as if people sit down and write policies and regulations that have no impact on anything and are only used when an audit comes in. Of course, this is true in some companies, but Compliance as such is not limited to just writing policies.

Briefly about the Compliance process

The term ‘Compliance’ itself comes from the Latin word complere, which means ‘agreement’ or ‘compliance’. It is a system of control and compliance with rules, standards and laws that helps companies manage risk and prevent violations.

There are many different frameworks, but their aim is the same - to systematise knowledge and practices to avoid strategies being shaped by subjective factors. This allows us to look at security from the perspective of accumulated global experience, to see the interconnections of different lines of business and to avoid possible mistakes in decision-making. Ultimately, using frameworks allows us to take a bird's eye view of our business processes and build an effective strategy based on objective data and experience.

For example, virtually all information security frameworks typically have the following major domain categories:

1. Identity and Authentication (Identity and Access Management) - Ensuring proper user identification and managing access to information resources.

2. Data Protection - establishing mechanisms for data protection, encryption, access control and data monitoring.

3. Secure Software Development - implementing secure practices in the software development process.

4. Vulnerability Management - identifying and remediating vulnerabilities in information systems.

5. Security Monitoring - continuously monitor and analyse events to detect security anomalies and incidents.

6. Incident Management - developing procedures for responding to cyber incidents and restoring system health.

7. User Awareness - educating employees on information security measures and increasing their awareness of cyber threats.

These domains represent the main aspects of information security and are important to ensure that information is protected and security standards are adhered to within an organisation. Each particular framework may supplement, refine and layout these categories in different ways, but there is such a must have everywhere.

How to implement it?

Let's look at the basic steps for taking a conscious approach to building Information Security Compliance processes in your organisation:

1. defining requirements and standards: start by identifying the relevant legal requirements, regulatory standards, information security standards and policies that your organisation must comply with.

Today, Information Security Compliance has become mandatory for most companies, especially those dealing with finance (GOST 57580) or personal data (FSTEC Order 21). If, somehow, you are not subject to any regulation, you can base your compliance policy on international best practices such as ISO 27001 or CIS Controls.

At this stage, it is advisable to establish the interrelationships between all the requirements of the various standards that you are required or willing to comply with.

2 Analyse the current state: conduct an information security audit to determine your current level of compliance.

At this stage, it is recommended to compile an inventory of protection measures such as implemented security measures, IS policies and regulations, configuration rules for the supporting infrastructure, and other IS-related activities. The links between requirements and protective measures should then be established.

Keeping these registries up to date will have two positive effects. Firstly, you will always know what requirements you have already implemented, what domains you have gaps in, and why you need to implement something else. Secondly, if the need arises, it will be much easier to assess compliance with any new standard, because mapping the requirements of the new standard to the register of fulfilled requirements will already close more than half of the questions.

3 Monitoring and evaluation: Establish mechanisms to monitor and evaluate compliance policy implementation, regularly analyse the results and adjust processes as necessary.

You need to build in processes for making changes to data protection measures in order to make quick adjustments to the register of implemented protection measures. This way you can see in real time when information security breaches occur and take corrective action.

4. Stakeholder Engagement: Keep an open dialogue with your stakeholders.

Never forget that security does not exist in and of itself, but for the business it protects. Therefore, for successful information security, it is important to analyse business processes to identify threats and risks, assess them and minimise them with reasonable investment. At the same time, the benefits of security can indirectly improve aspects of work that are completely unrelated to security. For example, using the example of integrating corporate messenger with AD, it can be seen that improved information security can also improve and speed up internal communications. The risk of information leakage due to untimely account lockout will be reduced, while employees will be able to find colleagues' contacts faster and more efficiently.

As a conclusion

In conclusion, Compliance plays an important role in comprehensive information security, enabling managers and professionals to make informed and educated decisions. Through Compliance, it is possible to analyse a company's activities from a broader perspective, which enables the identification of both potential threats and weaknesses. Thus, Compliance is an essential tool for ensuring stability, transparency and efficiency in corporate governance.