Is 90 Percent Compliance Good Enough?

I’ve been talking to some CISO’s recently on an informal survey – a hypothetical situation:

Suppose you have some core controls, and you’re hitting 90 percent compliance with them. What’s the next most important action you would take? Should you define more controls to cover more aspects of security? Or should you drive for 95 percent, then 99 percent, on those same core issues where you’re already at 90 percent?

I was expecting some divergence of opinion. So far, I haven’t found any.

Everyone I’ve spoken with seems to agree that you have to drive higher than 90 percent on the basics first. The thinking appears to be that when the Lulz ant swarm comes for you, or the script kiddies turn their automation tools your way, they will find your weak spots, and they will do it easily – just like real ants, trying to get to your kitchen. So people want to make sure the fundamentals are covered.

If you see it differently, please argue with me – I’m curious to find anyone with a contrary point of view.

If we all just agree that the first thing is to get better at the basics, then we have to ask “what are the basics?” and that’s why I like the SANS piece.

By most appearances it’s the latest version of the project formerly known as CAG – the Consensus Audit Guidelines. That was a hot topic a while back, but I’ve seen it cool a bit recently. (It did come up in an analyst call recently with the 451 Group’s Andew Hay, but in the camp of “whatever happened to that stuff?” – a pity.)

If this “Controls 3.0″ SANS guideline set is the new home of the CAG thinking, I’m happy – I think this is a really good overview of the basics, and as I say, most people seem to agree that it’s about getting better at the basics before we waste our time and money focusing on Dr No’s latest evil scheme.

Time has shown us – the bad guys won’t use difficult attacks to get in through an upstairs window if we leave the front door open.