Why a compliance first approach is not enough for a strong cyber security strategy

Why a compliance first approach is not enough for a strong cyber security strategy

Attack

Morgan Jay, Area Vice President EMEA at Imperva, explores the importance of performing holistic assessments of possible threats and assessing where these threats line up with your current security vulnerabilities.

Expectations of security are increasing in every region, making it vital that enterprises understand the risks to customer data and information in order to retain their trust.

By managing new cyber security threats, enterprises will be able to demonstrate their commitment to minimising risks to their customers.

However, every day brings new varieties of threat, making the prospect of 100% absolute protection an impossibility. That’s why every organisation needs to prioritise and implement the best security and data control objectives for their unique landscape.

Ensuring maximum protection

We see organisations with strict compliance requirements such as banks focusing their security efforts on how to efficiently meet their regulatory obligations. On the other side, there are those organisations who use the aftermath of detected threats and incidents as indicators of where to prioritise security efforts.

While both of these tactics are very different, they are both ad-hoc approaches that can only address short term risks to organisations. The next best step for organisations to ensure maximum protection for their customers is a future-focused approach to assessing risk over a longer timeframe.

In the wake of GDPR, we’ve seen many great security programs established to meet this new compliance regime. Compliance mandates, such as GDPR, provide organisations with the opportunity to investigate and locate sensitive data beyond the strict bounds of compliance to drive value for the whole organisation.

By being aware of where these datasets are located, organisations can have a greater control over these data assets. Unfortunately, some programs have only been a last-minute box-ticking exercise that doesn’t go any further than exactly what the regulations prescribe.

In fact, in the first six weeks following the imposition of GDPR, data breach complaints actually rose by 160 per cent. This symbolises a flaw in several key compliance mandates.

A compliance first approach is not enough

The assumption has been that these regulations have been introduced in part to protect enterprises, but the reality is that they’re designed to protect the sensitive data of individuals. Ultimately, there is no carrot for non-compliance, only a stick.

Simply adopting a compliance first approach will not be enough to develop a holistic cyber security strategy. Greater planning and internal strategy are needed to work alongside current methods to develop the ultimate cyber security strategy.

This is where a risk-based approach to cyber security comes into play. Essentially, this involves performing a holistic assessment of possible threats and assessing where these threats line up with your current security vulnerabilities.

Where each threat intersects with a vulnerability, a risk is assigned a score which also considers the impact on the enterprise if the risk materialises in an incident.

Once a score is assigned, risks can be viewed along a spectrum between low risk (which signifies that the possibility of an incident occurring is low and the potential effects to an enterprise are minimal) and high risk (which suggests that the risk will have a high adverse impact and has a high likelihood of occurring).

Developing these risk scores should involve broad stakeholder consultation to truly understand the effects of a potential incident, and what your current capabilities are for mitigating them in the wake of an incident.

Some risks have less to do with technology than they do with processes, so technology leaders need to consult with LOB managers and functional departments to understand their needs, and to gain buy-in for prevention efforts.

However, the technology element of risk in relation to data also needs to be understood by every senior leader within the enterprise.

Technology decisions made within a risk-based approach could adversely affect an organisation’s operations and competitive ability, so leaders need good quality analysis from security teams to support their decisions to implement security controls.

Ultimately, we cannot pretend that any enterprise has the ability to protect against every threat imaginable. The assessment of the best security controls and technology will be different for every organisation, and it requires a good measure of strategic planning to be carried out effectively.

Copyright Lyonsdown Limited 2021

Top Articles

Data of 500m LinkedIn users put up for sale on the Dark Web

Detailed personal and professional information associated with 500 million LinkedIn profiles has been put up for sale on a popular dark web forum.

Several EU bodies suffered cyber attacks in March, EU reveals

A number of European Union institutions, including the European Commission, were the targets of cyber attacks in March.

The rise and rise of nation state cyber attacks

There has been a 100% rise in nation state cyber attacks over the last three years with attacks aimed at organizations with high value IP, such as technology and pharmaceutical…

Related Articles