It is often stated that security is hard.  Whether it is the people, processes, and technology, or any combination of the three, security is a never ending challenge.  Conversely, compliance is the opposite.  Compliance is relatively straightforward. For too long, and for too many organisations, meeting a compliance standard was seen as a satisfactory way to boast of security. The competing ideologies of security versus compliance have long vexed even the most optimistic cybersecurity professional.

We wanted to help to offer some professional insight on this inherent dissonance, so we asked some experts for their thoughts on compliance and security, and where the two could harmoniously intertwine.

What are the limitations of compliance when it comes to cybersecurity?

Gary-Hibberd

Gary Hibberd | Professor of Communicating Cyber | @AgenciGary

Compliance with legislation or standards is merely the entry point for cybersecurity. Complying with these requirements is therefore relatively easy, but it doesn’t necessarily mean you are more secure.

Angus Macrae | Head of Cybersecurity | @AMACSIA

The limitations are that the cyber world outside of compliance still moves very quickly, and simply being certified with a particular standard does not and cannot necessarily mean that you are in all ways “cyber secure.” It’s the same way that a driving test cannot possibly prepare you for every eventuality you may encounter on the roads—including situations caused by other drivers. Even so, passing a driving test should put you in a better place to deal with those situations than if you had not taken it.

 

Christian Toon | CISO | @christiantoon

christian toonCompliance can drive a culture of checking the box to deliver the bare minimum, and this is wrong on so many levels when it comes to cybersecurity.

Our adversaries know organizations take this approach, and they will craft (Read more...)