Why A Compliance-Based Approach to Cybersecurity is Not Enough

compliance, cybersecurity

The RMS Titanic was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. Since then, many have wondered why the ship was not carrying enough lifeboats to save all the souls on board.

There’s a simple answer: the designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required. Since then, the story of Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security.

Today government contractors and organizations working with the federal government are required to implement a host of regulatory security controls from National Institute of Standards and Technology (NIST) to Federal Information Security Management Act (FISMA) and Defense Federal Acquisition Regulation Supplement (DFARS). But not all organizations are equally secure: in 2019, 80% of companies were expecting to experience a data breach. But what set them apart from the 20% who were confident that their cybersecurity program would succeed?

The Problems with Compliance

At least part of the answer to that question lies in the difference between a compliance and a risk-based mindset. While government regulations provide a minimum standard of security to businesses, these truly only satisfy a lowest common denominator of security controls. The best security officers and IT administrators know that their organization needs more. When it comes to cyber risk, a compliance-based mindset can actually make organizations significantly less secure for the following reasons:

  • Regulations lag behind technical threats – today technology is advancing at a faster pace than ever, and as it does, threat actors find new ways to penetrate organizations and leverage their weaknesses. By the time regulations are updated, they may be weeks behind the latest attack vector, leaving compliant businesses vulnerable.
  • Compliance is NOT security – to ensure that security controls are followed, they must be meaningfully contextualized by a broader security strategy that is understood by everyone throughout an organization. Unfortunately, compliance often devolves into a list of boxes that must be checked off which obscure the reason behind each control.
  • Compliance is expensive – gone are the days when companies could conduct self-audits or track their IT infrastructure without the assistance of expensive products and solutions. The more a company struggles to comply with regulations, the more it will spend in that effort with no clear guidance to prioritize expense.
  • Compliance is siloed – a compliance strategy is usually carried out from a centralized position which assigns security controls to every department in an organization. Rather than helping them to work together and share data, compliance efforts are limited by silos that don’t communicate with one another.

But the number one problem with a compliance-based cybersecurity mindset is this: compliance is only a basic foundation – even most regulators will admit that the requirements imposed by security regulations are a bare minimum standard for organizational security. Although it may cite cost, capability or time as a reason for stopping at mere compliance, an organization that has not taken the steps to move beyond mere compliance by building on top of its unique needs and circumstances has not seriously considered the responsibility it bears to its clients and shareholders.

What is Risk-Based Cybersecurity?

Although the Titanic was built to the British government’s specifications, one prescient observer noticed its flaws. Civil safety officer Maurice Clarke advised that “the ship needs 50% more life-boats,” and that advice was ignored. While the Titanic’s owners were thinking from a compliance-based perspective, Clarke was thinking from the perspective of risk.

The basic contours of risk and risk-based approaches to security are spelled out in NIST SP 800-37, which lays out a Risk Management Framework (RMF) for government organizations and businesses to follow. This document provides a useful way to talk about risk. In short, risk is:

  1. The likelihood that a threat event will happen
  2. The impact if it does

Organizations that take a risk-based approach to security are looking at it with the goal of protecting their most valuable assets, the safety of their customers, and the security of their information. They proactively search for weaknesses in their IT architecture through risk assessments and seek to continually improve their position.

Benefits of a Risk-Based Mindset

At first glance, risk-based security might seem like a significant time investment: it requires preparation, strategy, and continuous monitoring. But while it is not as linear as compliance, those who adopt it will quickly find that it is not only less resource-intensive, but also provides many benefits:

  • Stay ahead of threats – when organizations pay attention to risk, they quickly discover new and developing threats long before they are reflected in legislation. This allows them to protect their organizations from attackers at their most powerful and gives them a competitive edge.
  • Prioritize security efforts – by revealing areas of high vulnerability, a risk-based strategy helps organizations to continually improve their cybersecurity position with time while effectively protecting their customers and most vital assets.
  • Cost-optimized – a risk-based mindset enables organizations to allocate resources more efficiently, spending the greatest amount of money and manpower on the areas which need it most. Greater overall security and reduced labor leads to lower costs.
  • Integrated cybersecurity strategy – by embedding cybersecurity goals within their overall enterprise risk management strategy, organizations connect cybersecurity concerns with business goals, bringing together all departments and personnel to protect its assets.

Ultimately, a risk-based mindset reduces “check-the-box” routines that obscure the real purpose of cybersecurity from an organization’s people. It helps executives and decision makers to reflect on cybersecurity with every choice they make and empowers everyone else to make a meaningful contribution to the reduction of risk.

Risk vs. Compliance: Better Together

While a risk-based approach to cybersecurity fills many of the gaps in a compliance-dominated organization, they are better together. Firstly, compliance offers a simple foundation that all organizations should be able to meet before they look for ways to improve. Secondly – due to the impact of a failed audit – lack of compliance is itself a risk which should be accounted for in any risk management strategy.

Today all federal contractors and an increasing number of businesses in the private sector are being asked to comply with federal security regulations. But newer standards like the Cybersecurity Model Maturity Certification (CMMC) recognize the limits in a traditional approach to compliance, and demand that businesses think about risk. Organizations who don’t start today won’t be prepared tomorrow. Contact us to learn more!