Summary
While compliance can help organizations that are otherwise lagging in their security efforts be more secure, it won’t stop an attack or help with incident response if one does occur.
Are security and compliance best buddies, or are they in a cage match? Are they even on the same side? Isn’t compliance there to make sure that the organization is indeed staying secure—and isn’t that a good thing?
It may be time for a security/compliance reset. As most CISOs will tell you, it’s not that simple. Yes, compliance nudges otherwise lax participants to be more secure, and it places an easy-to-understand penalty for poor security front and center, where no one else in the C-suite can ignore it.
But all is not right between security and compliance. Here’s what CISOs have to say.
Conflicting Mindsets
“Compliance never stopped an attack,” said one of the CISOs in our recent panel discussion. In other words, compliance is based on periodically generated reports and audits, and as such, is only representative of a single point in time. But as CISOs know well, cybersecurity is an ongoing campaign where the bad actors are constantly changing their tactics, and new threats come out of nowhere all the time.
The mindset of upper management might be quite different. Non-security leaders tend to equate compliance unequivocally with security, imagining, “We’re compliant, therefore we must be secure.”
Leaning too heavily on compliance is where the problems begin. Security is expensive and complicated, requiring 24×7 vigilance and significant investments in technology and people. CISOs and their teams are under enormous pressure to prevent incidents.
But security teams often lack resources and are sent to the back of the line when it comes to capital investment, being that ROI on security is hard to quantify. If we’re compliant, they figure, then why spend more money on security?
For the CISO, compliance is another kind of foe—because of the false sense of security it creates and also because of the resources it uses. For CISOs and their teams, compliance can seem like just more busy work that, at the end of the day, doesn’t really do anything to make organizations any more secure.
What Keeps CISOs Up at Night
As far as CISOs are concerned, cybercriminals are not deterred by compliance, and the market won’t care about a clean compliance record if there’s a cybersecurity incident. Even compliance that evolves over time can only accelerate an endless leapfrogging cycle with threats that are evolving even faster.
We’re talking not just about the usual malware but also new attack surfaces from IoT devices, new vulnerabilities within third-party software, and new twists on phishing and other socially engineered techniques, all deployed by extremely advanced hackers. Mere compliance doesn’t have a chance against all this.
Incident Response Goes Beyond Compliance
Another area where compliance is, in practice, irrelevant for CISOs is incident response. CISOs will tell you that whether the enterprise masters incident response or fails at it is far more important than the security solutions in place—or compliance activities. Compliance may dictate which backups and disaster recovery capabilities you should invest in, but it will do nothing to help respond to threats in the moment.
If You’re Going to Prioritize Compliance, Focus on Data Hygiene
Yes, the compliance function needs strong security, and vice versa. But it also needs data hygiene—a huge component of compliance adherence and a data security priority CISOs say too many miss.
In short, data hygiene includes auditing, governance, and compliance best practices to ensure databases or file shares are accurate, up to date, and error-free. (That also means regularly deleting data that should not be kept.) Good data hygiene is an accelerator of security, productivity, and regulatory and compliance adherence. In this way, compliance and security do go hand and glove—without compromise.
Instead of thinking of functions like security and compliance—and yes, data hygiene—as perennially fighting each other for more attention, it’s time to consider how much they depend on each other. Do data hygiene well, and security and compliance actually can get on the same team.
