GUEST ESSAY: The wisdom of taking a risk-based approach to security compliance

By David Jemmett

Today, all organizations are required or encouraged to meet certain standards and regulations to protect their data against cybersecurity threats. The regulations vary across countries and industries, but they are designed to protect customers from the threat of posed data breaches. 

Related: The value of sharing third-party risk assessments

With estimates suggesting there are currently over 15 billion user credentials scattered across the dark web, the importance of compliance is clear to see. In spite of this, many organizations today still see compliance as a nuisance, rather than a business enabler.

All too often, organizations will analyze compliance requirements and harden their systems and practices to meet them, without really thinking about their importance to the business. Instead, they will tick the mandatory checkboxes, even if security measures haven’t been enacted, and file the record away as quickly as possible.

Job done! Compliance has been met — or may appear to have been met; now let’s make some money… That is until they learn they have been breached. When the CEO tries to defend the business by pulling out a dusty copy of its two-year-old compliance record, they then face the harsh reality that single “point in time” compliance doesn’t cut it in today’s threat landscape.

Strategizing compliance

Compliance is no longer a “set and forget” security framework. To keep up to speed in today’s evolving threat landscape, compliance is a process that must be maintained continuously.

Here are a few ways for organizations to implement an effective cybersecurity compliance strategy, so that it remains current, providing protection against new and emerging threats:

•Keep up to date with the evolving and growing attack surface

Today, organization’s digital environments evolve continuously: new devices are added into networks daily, staff is on-boarded and off-boarded, new suppliers are taken on, and as more organizations adopt hybrid working measures, staff are accessing corporate networks from locations worldwide. The threat landscape is also continuously changing, with new attacker trends coming to light and new software vulnerabilities discovered which put organizations at risk if they are not patched.

This means threats to corporate data are constantly changing. What might be secure today could be an organization’s greatest weakness tomorrow.

As a result, compliance needs to keep up with new threats and network changes; otherwise, organizations could inherit serious gaps in their architecture that will be easy for cybercriminals to exploit.

•Take a risk-based approach

One of the biggest mistakes organizations make when meeting compliance regulations is the belief that all requirements can be met through products. They don’t think about the impact security risks would have on their organization.

Today breaches cost organizations millions of dollars, both in losses and in fines. When they suffer attacks, reputations are damaged, customers and investors are lost and sometimes the very survival of the business is at stake. This means cybersecurity should never be viewed as just a technical issue; it is a businesswide problem.

Business leaders need to understand the risks to prioritize security spending effectively.With an organization’s data its most valuable asset today, understanding where it is held, who has access to it, and what is being done to protect it from intruders is critical.


Business leaders should also think about risks posed by specific attacks and take time to understand what the organization would stand to lose if attackers were to breach their network. Is data backed up regularly? Would the business recover if it was hit with ransomware?

Once they have these answers, what can be done to reduce the risk? Security threats are here to stay and perfect software doesn’t exist, so hardening and resilience must be the priority for any business leaders.

•Remember cybersecurity is a culture, not a product

Cybersecurity is a companywide challenge, and all departments need to be involved to get it right. Business leaders therefore need to prioritize security and promote its importance from the top down, training employees and encouraging them to mirror the attitude.

This means when attacks do target an organization, employees can stand as the first line of defense, armored with the correct knowledge to know not to click on links and attachments that seem suspicious.

Compliance is an important driver for security, and organizations should never view it as a mere technical nuisance. Cybersecurity is a critical business enabler today, and those that get it right will excel. Those that get it wrong, and do not prioritize their defenses, could stand to lose everything.

About the essayist: David Jemmett is CEO of Cerberus Sentinel a Managed Compliance and Cybersecurity Provider (MCCP) with its exclusive MCCP+ managed compliance and cybersecurity services plus culture program.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone