It is often stated that security is hard. Whether it is the people, processes, and technology, or any combination of the three, security is a never ending challenge. Conversely, compliance is the opposite. Compliance is relatively straightforward. For too long, and for too many organisations, meeting a compliance standard was seen as a satisfactory way to boast of security. The competing ideologies of security versus compliance have long vexed even the most optimistic cybersecurity professional.
We wanted to help to offer some professional insight on this inherent dissonance, so we asked some experts for their thoughts on compliance and security, and where the two could harmoniously intertwine.
What are the limitations of compliance when it comes to cybersecurity?
Gary Hibberd | Professor of Communicating Cyber | @AgenciGary
Compliance with legislation or standards is merely the entry point for cybersecurity. Complying with these requirements is therefore relatively easy, but it doesn’t necessarily mean you are more secure.
Angus Macrae | Head of Cybersecurity | @AMACSIA
The limitations are that the cyber world outside of compliance still moves very quickly, and simply being certified with a particular standard does not and cannot necessarily mean that you are in all ways “cyber secure.” It’s the same way that a driving test cannot possibly prepare you for every eventuality you may encounter on the roads—including situations caused by other drivers. Even so, passing a driving test should put you in a better place to deal with those situations than if you had not taken it.
Christian Toon | CISO | @christiantoon
Compliance can drive a culture of checking the box to deliver the bare minimum, and this is wrong on so many levels when it comes to cybersecurity.
Our adversaries know organizations take this approach, and they will craft their attack plans accordingly. Having a more agile and purposeful approach allows you to match your defenses to the threats you face. In this way, you assess everything for risks in a way that informs your response. You can thereby define what appropriateness looks like for your business, all the while bringing your people along with you as supporters.
Sarah Clarke | Security Governance, Risk, Compliance Specialist | @TrialByTruth
How much risk is tolerable is the real question and the persistent challenge. Compliance efforts are too often aimed at just securing cyber insurance dealing with a regulated industry customer. The disconnect between the compliance line and a robust threat and risk assessment can result in significant levels of misinformed spending. Compliance is transient comfort. Robust risk management is persistent (but better informed) discomfort. The latter should be preferable.
Caryll Arcales | Global Security Specialist
Due to the changes in technology, one limitation of compliance is that it does not align, or it lags behind the latest trends in cybersecurity. For example, ISO 27001 was just updated recently to cover cloud security controls (not even published yet) despite cloud having emerged on the scene years ago.
Dean Ferrando | SE Manager, EMEA at Tripwire | @deanferrando
Compliance tries to help in considering areas that could be of concern, this is acceptable for the generic organisation, but what about areas that are specific to the individual organisation that the compliance framework did not consider? Compliance adherence is often dealt with on a set frequency, i.e., once a year, once a quarter, or some other interval. Security is about dealing with alerts consistently, and as they show up, making sure that any risks opened up with business-as-usual activities are dealt with immediately rather than only being discovered during the annual compliance scan.
What should organizations consider when it comes to closing the gap between compliance and security?
Gary Hibberd | Professor of Communicating Cyber | @AgenciGary
Organizations should consider developing a Governance, Risk and Compliance (GRC) framework that looks at how standards and legislation are adhered to, the risks confronting the business, and how compliance can be evidenced.
A GRC framework works best when it brings together multiple people from across the organization to focus on security together.
Angus Macrae | Head of Cybersecurity | @AMACSIA
Compliance is a good way of otherwise disparate parties demonstrating to each other that they have the commitment to meet certain non-negotiables with a similar if not equivalent level of rigor. This can then form the first pillars of credible trust. Certain compliance activities in many sectors are also legislative and not necessarily a matter of choice, which can help get certain cybersecurity activities or investments prioritized in a way that they may not otherwise be.
Christian Toon | CISO | @christiantoon
This isn’t about ‘not’ being legally compliant, which of course is expected. It’s about framing the approach. Behind the scenes, you need to make sure you can map “Acme Corps’” control framework to your compliance obligations. There will always be an auditor waiting round the corner or a client expecting a particular standard to your industry. You’ll be closing that gap because your people will operate differently.
If you get this framing right, your customers will see the difference, you can differentiate yourself against the competition, and create a security program that operates threat based controls.
Sarah Clarke | Security Governance, Risk, Compliance Specialist | @TrialByTruth
The critical partner piece is a responsibility assignment matrix, also known as a RACI model. Nothing will get done if senior stakeholders are not getting clear and concise information on the scale and nature of required work. It has to be in context of all the other organizational priorities and stakeholders you depend upon for input.
This informs a justification for required exceptions from specified compliance benchmarks or clarity about required spend and trade-offs for non-negotiable requirements.
Stuart Coulson | Manager of Business Engagement | @SPCoulson
Compliance does not equal security. Security does not equal secure. Compliance demonstrates a minimum standard to compliance, while security shows the process of implementing controls for compliance and perhaps even a step beyond the level set by the standards. However, “secure” means being able to mitigate attacks.
Caryll Arcales | Global Security Specialist
Communication is the key. This is especially true when it comes to closing the gap between compliance and security. Teams need to collaborate with each other to align cybersecurity with compliance. This should be supported by management. Good management can contribute by ensuring that there’s efficient communication.
How do you get your business to buy into cybersecurity projects?
Stuart Coulson | Manager of Business Engagement | @SPCoulson
If you are hitting a barrier of budget for your security controls, then you probably are experiencing a disconnect between your IT Security strategy, the risks the organisation faces, and how you will mitigate those risks. Start by working with the risk owners to identify their real-world issues, then identify the technical controls that will resolve fully those risks. Ensure compliance to standards for your controls and then create a holistic strategy based around those controls.
If you try and do it the other way around, then you will not be directly addressing the issues of the users and key stakeholders. All too often, vendors will sell the dream that they can solve all your woes, but rarely is that the case. Ensure you create a list that addresses risks, and mitigate those. Sure, keep an eye to the future, but if you are just starting out, be led by your risks.
Gary Hibberd | Professor of Communicating Cyber | @AgenciGary
You have to change the conversation and make it about adding value. The challenge is that cybersecurity is often seen as a cost centre or something that slows down innovation or business processes. But if we can change the narrative, then securing the budget won’t be such a challenge. We, as cybersecurity professionals, need to become better at listening to the business and its needs. By doing so, we can better understand business objectives and their direction and see how we can help on this journey.
By focusing on the people around the boardroom table and what they are trying to achieve, we can reframe what we do to support and help them. The CFO typically wants to save money, so show how spending on cybersecurity can be better targeted. The CEO will want to increase market value, so show them how good cybersecurity can protect brand reputation. The Sales Director will want to increase sales, so show them how they can use cybersecurity as a business differentiator and a competitive advantage.
A lot of this is about education and becoming better at communicating the benefits of cybersecurity. Essentially, we must become better communicators of the benefits of what we do.
Dean Ferrando | SE Manager, EMEA at Tripwire | @deanferrando
The old adage of “it’s not if you will be breached, but when”, still stands true, and trying to cater for that scenario from the start should pay for itself in the long run. There are a lot more benefits for organisations to adopt a security approach such as removing the unexpected costs of compliance alterations when the mandated frameworks change. When that occurs, organisations have to re-asses their entire estate to see if their scope / security configurations have changed. Obviously, any identified changes could add additional unexpected costs to the organisation. If an organisation adopts a security approach from the start, then as long as the estate is being constantly monitored and protected to a higher standard than the bare minimum framework, any framework changes would most probably be irrelevant, again, reducing the long-term cost to the organisation.
While security is more difficult than simply achieving compliance, our experts make it clear that a security-centric approach will yield greater benefits. Above all, demonstrable value is an important aspect to proving why compliance should be a passenger in the security vehicle. Security must be the driver.
To learn more, download the whitepaper “Mind the Cybersecurity Gap – Why Compliance Isn’t Enough.”
