As cyberattacks grow in both volume and severity, the importance of security and privacy has taken center stage. Several industry regulations and frameworks now mandate a security baseline that organizations can follow to remain compliant. Organizations often confuse compliance with security and mistakenly assume that if they are compliant with regulatory standards, they are well-protected from cyber threats. Here are the top five reasons why focusing solely on compliance can undermine your security efficacy.
COMPLIANCE CONTRIBUTES TO A FALSE SENSE OF SECURITY
Security isn’t about flipping a switch and turning security features on. Many compliance documents are like a checklist one needs to cross off to meet the minimum requirements of a regulation. An organization can deem itself compliant to a particular standard, but that does not guarantee a foolproof cybersecurity posture. Regulations are not updated regularly; the pace of change in the threat landscape often outpaces compliance guidelines.
COMPLIANCE ATTEMPTS TO DO EVERYTHING AT ONCE
Security is a journey, not a destination; therefore, security must evolve with the changing threat profile of the organization. For example, the threat landscape during pre-pandemic times (with its limited set of remote workers) was completely different than during the pandemic. Compliance guidelines provide little consideration to actual risk expansion and reduction over time. Instead, the regulated entity is given a list of controls and is asked to fix them, usually all at once. Once the audit is completed and compliance is achieved, the risk environment may have morphed completely.
COMPLIANCE FAILS TO PRIORITIZE CRITICAL ROOT CAUSES
Real-life cyber threats have varying degrees of risk, and some risks are far greater than others. According to Cybersecurity Ventures, social engineering and phishing are responsible for 70% to 90% of all data breaches, while unpatched software contributes to 20% to 40% of all data breaches. No other root causes come close, yet many compliance documents provide scant direction on addressing these major threats. A compliance document will never rank or give special mention to significant risks. It will most likely say, “Go fix these 20 things right now” instead of saying, “Go fix this first, this next, and this one last.”
COMPLIANCE CENTERS AROUND THE REQUIREMENTS OF THIRD PARTIES
Most regulations are designed around requirements such as government policies, security frameworks, third-party or customer contractual obligations, etc. At times, compliance even requires organizations to go beyond what might be considered reasonable or necessary. Security, on the other hand, is designed around technical requirements and the kind of risks the entity is trying to mitigate. Achieving compliance means that you meet the base-level criteria laid out by regulatory bodies; however, the status itself doesn’t replace the need to have additional cybersecurity measures. Limiting your defenses to a checklist of mandated controls will likely not be sufficient for most organizations.
COMPLIANCE LACKS FOCUS ON THE HUMAN ELEMENT OF SECURITY
The majority (85%) of breaches involve humans, and most compliance audits don’t stress this aspect enough. Sure, major regulations do recognize the need to monitor employees for unusual behavior and suggest employees undergo training programs. But completing a 15-minute module on how to spot an email scam is not enough to sustain a security posture over the long run.
BEST PRACTICES TO TURN COMPLIANCE INTO TANGIBLE SECURITY
Compliance and security are two sides of the risk management coin. Compliance alone, in isolation, can leave many security gaps unchecked. Meanwhile, security in seclusion can leave loopholes that may not have been identified outside of a compliance audit. For a true defense-in-depth approach, compliance needs to work hand-in-glove with security. Here are some best practices that can help bolster your security program.
• Evaluate compliance documents through the prism of real risks: When a compliance auditor hands over the list of things you must fix, ensure you evaluate thoroughly and prioritize based on what needs to be fixed first. In most cases, social engineering and patching are among the critical things that need to be addressed first.
• Use a combination of technical controls, policies, and security education: Once your list of prioritized risks is ready, ensure you deploy the right technical controls to plug those security loopholes. Document risks and best practices in a formal policies and procedures document to provide guidance for the entire organization. Secure the human element via an interactive, regular training exercise that helps build a strong cybersecurity mindset and a healthy culture of skepticism.
• Implement and maintain governance systematically: Compliance is only a part of the process that defines GRC. Most will agree that GRC is always in a state of flux owing to constant changes in technology, regulations, and the threat landscape. To approach this process systematically, it is recommended that you use reputed GRC tools that can help you transform an unranked set of compliance controls into real, more efficient security.
Compliance is complementary to security. An equivalent focus on both domains can not only empower organizations to reduce their cyber risk but also bolster their reputation and demonstrate their commitment to cybersecurity.
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.