Home » Security Bloggers Network » Security first: Compliance by design

Security first: Compliance by design

by Karen Walsh on May 12, 2020

Introduction

Whether it’s the General Data Protection Regulation (GDPR) or the New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD), nearly every regulation or industry standard that touches the IT department incorporates “security by design” or “privacy by design.” Meanwhile, organizations increasingly recognize that compliance is not equal to security or privacy. With that in mind, organizations should think about taking a “security first” approach to managing unauthorized access to sensitive data. This is a way to flip the model to “compliance by design.”

What does “security first” mean?

Most organizations with mature compliance and cybersecurity programs already incorporate some level of the “security first” approach to data protection. At the core, your security-first initiative should begin by focusing on how to secure information effectively, then review how the set controls align to mission-critical compliance requirements.

How does “security first” enable a robust compliance posture?

By focusing on securing data before looking to compliance mandates, organizations can streamline their control settings and then align their actions to regulations or industry standards. Many compliance mandates set forth similar best practices for securing information. For example, take a look at the following compliance requirements:

GDPR Article 32(1)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: