teissTalk: Risk-based versus compliance-based security programmes

teissTalk host Geoff White, was joined by Todd Wade, Chief Information Security Officer, Sokin; Raza Sadiq, Head of Operational Risk, `Mqube; Benjamin Corll, VP, Cybersecurity, Coats; and Jamie Moles, Senior Technical Marketing Manager, ExtraHop

 

Views on news

Mandiant’s  M-Trend 2022 Report is out with the answer to the question we all want to know: “are organisations detecting attacks faster?” Spoiler: global median dwell time for ransomware is now 21 days, down from 24.

 

However, the report is another evidence that companies still don’t do their homework to achieve basic cyber hygiene, and vulnerabilities provide the easiest pathway into a corporate system. It’s interesting to see how different reporting cultures result in attacks taking twice as much time to get reported in Europe than in the US.

 

Data centres and their virtual machines may provide cyber criminals with another pathway to a company’s crown jewels. The success rate of supply chain attacks and the fact that they rank second are striking, which, to a large extent, is down to the scale of the SolarWInds attack. Supply chain risk, nevertheless, now features among the top cyber risks for a majority of businesses.

 

Among the most malicious malware, the report mentions Beacon (Cobalt Strike’s default malware payload used for pen testing too).

 

Compliance and security – is it an either or?

 

The key message is that compliance doesn’t necessarily mean you’re secure. For the security community, it’s a no brainer, as they put security first, but executives are often only after the seal of approval and therefore aim for compliance.

 

Certain industries (medical, finance) are mandated to run a compliance-based programme. Although many see risk management as a cost, it can also save a lot for the business by removing inefficiencies, which can impact the bottom line very positively and can lead to a manifold increase in RoI.

 

One of the merits of a risk-based approach is that it gives you a ranking of existing risks, as well as a leverage when pitching security to the board. Ideally, compliance shouldn’t be the be-all and end-all of cyber defences but, rather, the foundation that a robust cyber security programme is built on.

 

According to the teissTalk poll, 71% of the audience was compliance-based.