Compliance has a lot to offer for cyber security but also some significant limitations. Since the challenge of cyber was born, the need to meet compliance standards has been a significant factor in getting cyber security into boardroom discussions. Today's standards have benefited from those discussions and are broadly mature and well-thought-out.
But the double-edged sword of standards under legislation is that a company may assume by ticking the right boxes to meet those minimum requirements that they are considered secure and invest less time and resources into the continuing and evolving job of achieving cyber stability. Security leaders concerned with achieving true operational assurance know that the goal of compliance is not simply to be compliant.
For starters, compliance doesn't always get it right. Legislation is periodic, but cyber risk is ever-present and evolving. Cyber security has always been an arena of hyper change. Expecting legislation to keep pace with attacker innovation would be foolish; tomorrow's threats are unlikely to fit neatly into categories defined by current and past threats, and the prevention, detection and response to future threats require a more flexible mindset and security program.
There are countless examples of high-impact breaches affecting companies that are entirely cyber- compliant. Last year, it came to light that the telecoms giant Synaverse suffered a five-year-long breach despite being compliant with multiple standards such as GDPR, ISO 9001, and even supply chain-tailored standards like TL9000. In the past, compliance standards such as PCI DSS only necessitated quarterly vulnerability scans.
As a result, we've seen high-profile attacks exploit known vulnerabilities that already had patches available. The targeted companies were fully compliant at the time but still suffered preventable breaches. Standards are often updated in the aftermath to encompass a more risk-based approach, but this is still reactive. The reality remains that compliance rules will always lag behind the ever-evolving world of cyber risk.
Crucially, cyber risk, by its very nature, is bespoke. Compliance controls, on the other hand, ensure a common standard - but no two organizations are the same. Therefore, building a risk profile requires deep business context and an understanding of "self" before we look at understanding our enemy.
See also: 4 P&C Mega Risks in 2022
The challenge for CISOs is prioritizing those risks and continuously hardening defenses. Of course, 100% prevention is unrealistic - but that's okay. The goal is to make it so labor- and resource-intensive for attackers that it no longer makes sense for them to continue attacking the hardened target. Cyber crime is a business and being truly proactive makes it more difficult for attackers to achieve their ROI.
Adhering to compliance rules can significantly increase an organization's ability to manage risk - which, if it's not already clear, is the core goal of cyber security - but it can only go so far. Most CISOs today would agree that the further you move away from the time a compliance box was checked, the less confidence there is that the compliance rule is still effective and still managing risk at the expected level.
Compliance might be the start of the cyber conversation, but that conversation today has moved along. In the current era of cyber-threat, it's about marrying up teams with a proactive mindset and the right technologies to know the company inside-out. Only then can we hope to preempt and prevent the many ways that an attacker could do damage.