Why Compliance is for Guidance, Not a Security Strategy - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
4/15/2020
07:00 AM
Jason Fruge, Vice President of Business Application Cybersecurity, Onapsis
Jason Fruge, Vice President of Business Application Cybersecurity, Onapsis
Commentary
50%
50%

Why Compliance is for Guidance, Not a Security Strategy

Chief information officers face challenges obtaining buy-in to invest in cybersecurity. Yet equating compliance to security is the biggest mistake CISOs are making.

It’s a problematic question security teams get asked by the business side throughout their careers: “If we’re compliant, why do we need to continue investing in cybersecurity initiatives?”

The answer can be found in a quick internet search. Take the Equifax data breach, for example. In September of 2017, Equifax, one of the largest consumer reporting agencies, announced a breach affecting more than 800 million individual consumers and 88 million businesses worldwide. Their network was compliant, but they failed to implement an adequate security program to protect its customers’ sensitive and private information.

Image: Michael Traitov - stockadobe.com
Image: Michael Traitov - stockadobe.com

However, catastrophic breaches, like Equifax, leave senior executives and board members unfazed. Sixty-four percent of executives around the world -- and 74% of those in the US -- feel that adhering to compliance requirements is a “very” or “extremely” effective way to keep data secure, according to 451 Research. Often, their strategy defaults to the following logic: As long as we’re up to legal standards, we’ll transfer any additional risk to insurance.

But in recent years, that philosophy has been challenged. In fact, large companies like Mondelez took that approach until their cyber insurance provider pushed back, citing a common, and previously rarely used clause in insurance contracts called the “war exclusion.” The clause states that with nation-state hackers, insurers can claim companies as collateral damage in cyberwar.

Regulators are beginning to work to combat these mistakes, encouraging organizations to appoint members to the board who are well-versed in information security and can ask the right questions to ensure a meaningful security strategy is in place. Nonetheless, without a requirement passed, this remains just that -- a suggestion.

A never-ending battle

This predicament leaves security experts fighting a two-front battle: one with hackers trying to gain access to a company’s most sensitive business data, and the other with senior leadership regarding funding for security products.

In today’s digital age, once an organization improves its security posture in one area, hackers simply move to a different attack vector. And to protect against a new vulnerability, it often requires additional budget -- whether that’s in additional headcount or security products to increase control.

Executives are concerned about the company’s bottom line, and rightfully so. It’s their job to ensure a business is practicing fiscal responsibility and reaching revenue goals. As they see the increase in spending, budget fatigue sets in. Decision-makers want to understand when they will reach a maturity model in which the business can stop investing in cybersecurity.

The unfortunate answer is never. Businesses are fighting a dynamic advisory, and as technology evolves, so do hacker tactics. So, how do forward-thinking CISOs and security experts ensure their company doesn’t fall victim to the next big data breach?

A strategy fit for your business

The first thing security professionals need to understand is that when they assume everyone realizes the risk of leaving security up to universal compliance standards, they’re wrong.

However, with the onslaught of recent regulatory standards, like GDPR and CCPA, and compliance top-of-mind with board members, it provides a timely occasion for security teams and senior leadership to meet and develop a thoughtful approach for protection and compliance.

A fundamental piece of both initiatives is to understand a business’s data landscape. Where does the data live? What traceable regulations does a company need to know about?

Most organizations will stop there and apply a compliance-based security method where every system gets the same approach to patching and protection. Yet, effective CISOs will take it a step further and change the risk paradigm, asking leaders difficult questions about business vulnerabilities.

For instance, what system within our business has the most sensitive information? Could it be systems with confidential data on potential mergers or acquisitions? Or critical business applications that store customer, financial, sales, and human resources data? On the surface, it may not seem like these systems are the most important. Still, once the implications of losing or disrupting this data are realized, teams can start to prioritize protection for their specific business needs.

Compliance as guidance

No governing agency can tell you how to protect your network best. Compliance frameworks and regulations are high-level guidelines on which risks need to be addressed. When viewed through the right lens, though, they can serve as a helpful start on the journey to a more meaningful security strategy.

With this in mind, and support from senior leadership, security teams can use these frameworks to understand their data landscape better and prioritize protection where it matters most. Then, and only then, will businesses have the proper foundation to a security posture that reflects the way an organization does business. This process will help security teams check the compliance box with confidence that their most critical business information and data are secure. 

With over 20 years of information security and IT leadership experience, Jason Fruge leads Onapsis’ Global Professional Services team, a critical part of Onapsis’ customer success efforts. Previously, as CISO at Fossil Group, he was responsible for providing leadership and information security advice, governance and subject-matter expertise to the company’s executive leadership and global team of technical staff who manage critical distributed information systems.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
Slideshows
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll