The CISO Den
Published in

The CISO Den

Lights and Shadows of Cybersecurity Compliance

Death, Taxes and Compliance

Photo by 戸山 神奈 on Unsplash

I am not keen of the compliance approach, but to dismiss it altogether would be unfair. The following observations are about the whole process: Creation of new compliance regulations and standards, connected professional qualifications, audits and treatment of non-compliances, and if the compliance standard has some certification attached, the value of this certification.

Examples of compliance regimes are: ISO27k, Cyber Essentials, Spain’s ENS, PCI-DSS, among many others.

Lights

When an organization belongs to an economic sector where cybersecurity regulations are applicable, this is an incentive for improving cybersecurity.

When a compliance regime encapsulates lessons learnt, it it is a driver to implement them in many organizations.

Auditors can help improving cybersecurity, as lack of evidence is always an indication of poor cybersecurity management practices.

Some compliance regimes require having qualified companies/professionals or auditors to perform assessments. This has the benefit of improving the quality of assessments or audits.

When an organization is certified, it can use the certification in order to establish trust relationships with other organizations.

Shadows

When an organization belongs to an economic sector where cybersecurity regulations are applicable, once the organization is compliant any improvements beyond the compliance requirements may be seen as unnecessary. Compliance becomes a brake for cybersecurity improvements.

When an lesson learnt is superseded (compulsory periodic password resets come to mind), compliance regimes often take a long time to reflect it and become a brake for progress.

Auditors don’t have an incentive to look beyond the compliance regulation. Once you get one answer for one compliance requirement, the check is over. But many organizations have different levels of compliance across the development, corporate, production, retail environments, etc, so the scope of compliance seldomly is a good reflection of the actual state of cybersecurity.

To require qualified professionals or companies ring fences the compliance market and increases costs.

The reputation of any certification obtained by an organization is only as good as the worst organization that is certified. That is why in practice many companies don’t trust certificates and perform their own due diligence that is costly and takes time for both organizations that are keen to collaborate.

Organizations that operate in many markets may struggle under the weight of requirements that don’t match or may even be contradictory.

Being compliant does not mean to have a good level of security. You can be secure but not compliant or compliant but not secure. Pizza restaurants don’t have a “Pizza Policy”. Having policies is good, but to be able to deliver the security requirements of the organization is, I think, more important.

The darkest shadow from my point of view is the dilution of responsibility. An organization may suffer and incident, but if they are compliant, they will easily claim: We did everything we could, we were compliant!, Data privacy regulations in Europe used to take a compliance stance, but they wised up and now the requirement is around meeting the goal (not to have personal information breaches), and not so much about following the compliance recipe.

Further reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store