Cyber-security compliance is not enough

Robert H. Leong at HCLSoftware explains why true security needs to move beyond compliance

As a cyber-security software product manager, I aim to have a deep understanding of the market so that the product or service we offer aligns perfectly with the market needs and essentially sells itself.

Recently, I’ve come across challenging questions related to cyber-security compliance, especially regarding the issue of recurring incidents and breaches despite meeting important security benchmarks, checklists, and standards. 

When thinking about cyber-security incidents and breaches, it’s important to note that in 2023, the defender community spent approximately $166 billion on cyber-security solutions and services. This spending is predicted to increase to $273 billion by 2028. However, despite these efforts, there were losses amounting to $8.44 trillion in 2023, and this is expected to climb to $13.82 trillion by 2028.

Cyber-security compliance “encompasses everything an organization does to protect company assets and meet security and compliance standards and regulations,” and aims to “recognize, control risks, and identify and stop cyber threats before they result in a significant data breach.” Based on this statement, one may assume that they are therefore completely reliant on the other being present at any given time. But it is not as simple as this.

Looking at the market, there are many cyber-security compliance standards, including NIS2, CIS standards, FISMA, PCI, and DORA. However, compliance with these standards does not always guarantee protection.

Take, for example, the Centre for Internet Security Control 7, which focuses on “Continuous Vulnerability Management.” This control aims to develop “a plan to continuously assess and track vulnerabilities within an enterprise’s infrastructure to minimize the window of opportunity for attackers.” Data from 443 organisations compliant with this control shows that while 60% are more effective at identifying threats they still fail to remediate their impact: see Figure 1 (source: The State of Vulnerability Management; survey by Tenable and BigFix).