# Opener

Compliance is Not Security! How You Can Transform a Compliance-Driven Security Culture into a Risk-Based Security Culture

Published by Axio

Whether in the private sector, state government, or federal, cybersecurity compliance is an omnipresent influence on organizational decision-making. Compliance requirements are designed to oblige companies and organizations to follow specific regulations to discourage and prevent cyber-attacks. It has long been a part of a traditional risk assessment approach for many companies but, by itself, does not fulfill the needs of a holistic cybersecurity and risk strategy. Those who oppose compliance argue that it restricts a company’s ability to improve cybersecurity. Compliance mandates are a necessary but not sufficient part of your organization’s security strategy. Here we will scrutinize the merits of traditional cybersecurity compliance and examine why compliance alone is not sufficient to protect your organization from data breaches.  

 

What is Compliance in Cybersecurity? 

Regardless of your industry, sector, or company size, you’re undoubtedly familiar with various compliance mandates as a cybersecurity professional. Some well-known examples include: 

Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the privacy of healthcare patients.  

Defense Federal Acquisition Regulation Supplement (DFARS) contains requirements of law and DoD policies. 

European Union General Data Protection Regulation (GDPR) is a data privacy and security law that affects organizations globally.  

Payment Card Industry Data Security Standards (PCI DSS) is a standard developed to regulate organizations that handle credit card information. 

Federal Information Processing Standards (FIPS) 140 dictates standards for US government computer security 

Though each regulation listed above applies to its specific industry, they share the same goal:  to secure data and prevent disastrous cyber attacks. The objective of compliance requirements is to protect the data that your company manages. Depending on the industry and size of the organization, this responsibility may fall on internal IT security teams, a separate compliance team, or an external contractor. However, despite being a vital element to your business, compliance alone is not security. It can improve your security, but it does not ensure it.  

 For example, the PCI DSS became active in 2004 to curb payment fraud, subjecting payment processing organizations and all businesses that accepted credit cards and requiring them to implement security controls outlined by the program. PCI DSS, as with all compliance mandates, sets forth a (normally lengthy) list of controls, which become tasks for the organization to complete. Things like password managementfirewallsendpoint detection response, or intrusion detection. Fundamentally, compliance mandates are a list of tasks. A list of tasks is the same thing as a checklist. Or, to put it cynically, a catalog of chores to get off your plate.  

 

What are the key differences between a risk-based culture and a compliance-driven culture?  

 Complying with cybersecurity frameworks often and unsurprisingly leads organizations to a false sense of security. Meeting compliance requirements does not make your company “hacker-proof.” In fact, the 2013 data breach at Target occurred only weeks after Target was certified PCI DSS compliant. We know the breach occurred because Target did not implement network segmentation, which is a suggested control but not a requirement from the PCI DSS. By 2017, four years later, it was estimated that the total cost of this breach was around $202 million. A company that meets its compliance requirements and does little to improve its security posture after “checking the box” will experience security gaps vulnerable to attackers. Alone, compliance controls are little more than checklists boiling down to either something you do or don’t do, which we know does not add up to a holistic cybersecurity strategy.  

 Verizon’s 2020 Payment Security Report reveals that in 2019, only 27% of companies assessed actually achieved compliance. As we know, hackers are constantly evolving their methods, and risk-based cybersecurity can also adapt and continually reassess emerging risks and security priorities from top to bottom. A comprehensive security program is iterative – you always should be active and aware. By applying risk-based metrics to your organization, you can customize your cybersecurity strategy to better meet your business needs (and protect vulnerabilities). 

 

How can you turn compliance activities into ongoing and continuous cybersecurity improvements?  

Security leaders have an opportunity to transform standard compliance activities into ongoing cybersecurity programs. First, a standard compliance process is helpful for any security team to understand the state of their cyber maturity while exposing any potential gaps that leave the organization vulnerable to attack. The resources and budget needed to satisfy compliance mandates can be significant. Many cybersecurity professionals may think that spending on compliance leaves no money left for areas of risk they want to address. However, compliance can be approached as a subset of risk, acting as the groundwork for thoughtful cyber risk analysis. A risk-based approach defines customized controls for your organization to address its specific vulnerabilities. It can deflect or mitigate attacks, as well as lower your overall cybersecurity costs 

 

What’s the problem with Microsoft Excel?  

Microsoft Excel is the world’s leading spreadsheet software that is critical to finance and accounting teams, but it should not be the tool that your security and risk teams use to conform with a compliance framework. Excel spreadsheets are static documents, usually shared within the organization and with outside stakeholders like auditors and legal counsel as email attachments. Not only is sending attachments poor security , but they also leave no opportunity for your security team to make use of its data on an ongoing basis. In fact, one could argue that the Excel spreadsheet is what’s inhibiting your organization from moving past a check-the-box approach to security.   

 

What are my alternatives?  

 Integrated cyber risk management solutions like Axio360 are an excellent way to combine your compliance and security efforts and reap the rewards from each.  Rather than an excel spreadsheet, a static document simply listing out a set of requirements, a proper cyber risk management solution can link those compliance requirements to security tasks and provide workflow-based support for improvements to your security posture.  By using a centralized tool with workflows and collaborations built-in, your compliance project will become a security project, and your organization can come out the other end not merely with the piece of paper needed to satisfy customers or regulators but as a more secure trustee of data and better able to withstand the risks of the modern cyber environment. 

 

Summary 

Many believe mandated compliance is a necessary protection for the US economy, our privacy, and our government operations, and they are not wrong. However, simply meeting the minimum requirements for your business is not the same as implementing cybersecurity best practices. Additionally, compliance on its own does not address the specific needs of your business. The emphasis has swung from compliance to risk in cybersecurity, and it’s become clear that a risk-based security approach allows your organization to better understand where the most significant threats exist and how to protect from them.