Cyber compliance is an important concern for cybersecurity teams, for good reason. It’s crucial to protect your IT ecosystem from threats, and ensure that customer data and proprietary information is secure from unauthorized access.
Compliance frameworks like those from NIST and ISO can provide useful guidance for assessing security provisions, and they can be highly effective as starting points for formulating your company’s strategies. Obtaining certifications from these compliance organizations can also signal your commitment to data protection and privacy, and align your organization with ethical behavior and social responsibility. Potential customers and partners are likely to check your compliance badges, which is why so many companies display them prominently.
But an over-reliance on compliance can be a vulnerability, not an asset. Prioritizing compliance checklists can direct your focus away from innovation and growth, and create a false sense of security that might cause you to miss critical threats.
This is why security experts and thought leaders often encourage organizations to switch gears and adopt a more flexible, effective approach that is based on risks, rather than compliance.
Too often, compliance is little more than an exercise in checklist adherence, carried out after cyber processes and workflows are already established, simply to meet the requirements of a given standard. Recent breaches have highlighted the drawbacks of this approach.
In February, the Bank of America announced a data breach that was caused by a third party service provider having been hacked. Bank of America itself was compliant with the relevant frameworks, but it had overlooked third party risks. Pharmaceutical giant Cencora encountered a similar situation when a breach went unnoticed for months.
According to experts, this is a reminder that “financial institutions and their partners must move beyond compliance and tick-box exercises, fostering an active security consciousness that encourages positive security behaviors.”
Dangerously, a compliance-first mindset looks at risks in a fragmented manner, which can lead to gaps in security provisions. Some threats only become apparent when viewed in the context of the whole system.
“Many CISOs tend to build their cybersecurity program in buckets, according to the type of threat. For example, they might have tools and processes to handle email attacks, and separately, they will make sure they have tools to ensure remote access is safe,” warns Arik Solomon, CEO of cyber GRC automation company Cypago. “Under this model, GRC compliance is often considered a separate need – not necessarily a threat, but rather a business requirement they must implement.”
Compliance frameworks also offer baseline and generic standards – not the highest standards and not the standards that make the most sense given the specifics of individual organizations. Indeed, companies that stick narrowly to compliance checklists might be led towards solutions that don’t protect against specific risks, or which don’t reflect their high exposure to risks from a vector that is specific to their industry.
Equally problematically, a compliance-first approach can lead organizations to expend resources on risks that are relatively low for their circumstances. When decision-making prioritizes compliance over other factors, it creates a bureaucratic monster that squashes growth. This can be disastrous in fast-moving verticals where competitive edge relies on innovation.
As the drawbacks of a compliance-first attitude become more evident, security leaders are increasingly shifting to integrate compliance as part of a broader risk management.
As Solomon observes, “More CISOs understand that cyber GRC is essentially a roadmap by which they should analyze potential risks, design governing processes, and apply security controls. This new approach defines a scalable model, essentially allowing organizations to continuously assess relevant risks and measure how well their existing cybersecurity program fits these risks.”
Taking a risk-first approach empowers security teams to build resilience into the system from the outset, so it can respond to the unexpected with innovation and creativity. This enables a better allocation of resources. Prioritizing risks over compliance saves time, money, and reputational cost, allowing teams to address the most likely and most potentially damaging risks first, for more effective damage control.
Just as importantly, a risk-first mindset can unearth a wider swath of potential outcomes, including positive ones. With a better understanding of the challenges ahead of you, you can optimize opportunities for growth that you might not have noticed. It also ensures that you’re aware of risks in areas that you might not have considered, and of how risks can affect different elements of the organization.
A risk-based approach is also proactive in protecting your company. Compliance frameworks are reactive, which is particularly harmful in cybersecurity, where risks evolve quickly.
“Compliance regulations struggle to keep up with rapidly evolving attack vectors and emerging technologies. As a result, organizations find themselves vulnerable to these changing threats,” points out Purandar Das, CEO of data protection company Sotero.
“For example, PCI-DSS 4.0 was released in 2022 and remains applicable for three years,” he adds. “In IT, three years represents much technological transition—especially for cybercriminals. Organizations that meet this compliance standard may be vulnerable to future novel attacks developed after 2022.”
For CISOs and GRC leaders interested in adopting a risk-first approach, there are specific elements that need to be embraced.
Most importantly, but perhaps hardest to implement, is spearheading a shift of a risk-based culture. This requires leadership that models risk-first attitudes, encourages employees to speak up about potential risks and improvements, and recognizes successes to foster a positive culture.
Employees need regular, ongoing training that ensures that they know what is required in a risk-first culture. They need to understand the importance of this approach as well as mastering risk-based protocols and the best way to manage compliance risks.
CISOs need to update their security and privacy protocols so that they reflect risks, not just the boxes on a compliance checklist. Those protocols should be revised regularly, because risks are constantly changing, and processes should also be reviewed frequently to ensure that they align with the current risk environment.
It’s important to note that there’s no need to choose between effective compliance and powerful risk management. Companies that embrace a risk-based approach enjoy improved security along with compliance that goes beyond the letter of mandatory standards and frameworks. As organizations adopt a risk-first attitude, they gain improved data privacy and system protection, and are better placed to drive growth.