Cybersecurity teams are subject to a complicated web of compliance and regulatory frameworks.

These aim to ensure organizations implement appropriate security controls… but they present a significant challenge. Each framework has slightly different recommendations and priorities, forcing teams to expend a huge amount of effort to keep track of and enforce their requirements. But that’s not the only problem.

The “Special Snowflake” Approach to Compliance

What makes a compliance framework difficult to implement? While there are several factors, perhaps the most significant is that most frameworks take a descriptive approach—they tell organizations what to achieve but not how to achieve it. 

Tony Sager, SVP and Chief Evangelist at The Center for Internet Security (CIS) explains:

Compliance requirements are what I call cosmic frameworks. They proclaim ‘thou shalt achieve this,’ but aren’t prescriptive about how to do that. It creates an industry of tea leaf readers trying to interpret (Read more...)