The Sweet Spot between ‘Compliant’ and ‘Secure’

March 17, 2017
Adenike Cosgrove

Proofpoint recently joined a group of security leaders at the World Cybersecurity Congress in London, UK. The main topic of conversation? Regulation.

Security and IT professionals are increasingly concerned that the recent uptick in compliance requirements, such as the EU General Data Protection Regulation (EU GDPR), could negatively affect security programs. But complying with regulations and implementing cybersecurity best practices don’t have to be at odds. Below, we explore the difference between compliance and security and reveal the best ways security teams can leverage regulations to their advantage.

Compliance does not ensure security

Just because your company is ‘compliant’ does not mean it’s ‘secure.’ Regulations aim to change corporate behaviours by enforcing rules to manage very specific types of data, transactions, or processes. For example, the Payment Card Industry Data Security Standards (PCI DSS) aim to help financial institutions “protect their payment systems from breaches and theft of cardholder data,” while the new EU GDPR aims to “protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Complying with regulations and standards does not expose the risk profile of each individual business nor does compliance mandate that appropriate security controls be implemented to mitigate identified risks. Each business is unique, and will have its own set of cybersecurity risks and controls that internal teams will need to address. The ideal driver for any security program should indeed be the implementation of security best practices, frameworks and standards. But the real world is compliance-driven and regulations usually take priority. Why? Here are three key reasons:

  • Business Impact: There is a very real and quantifiable business impact of failing to comply with regulations—regulators have the power to issue penalties and fines that can significantly impact the business’ ability to function. In addition, under the EU GDPR for example, organisations that experience a breach of EU personal data will have to report that breach to their Data Protection Authority. This public disclosure of breaches (and noncompliance) could also damage the business’ brand reputation and, ultimately, revenue. This direct penalty is quite unlike some cybersecurity threats reported to the business, where the likelihood of the risk affecting the business is perceived to be low and the potential impact cannot be quantified.
  • Business Engagement: With huge fines and potential disruption to business, is it any wonder then that management and boards are prioritizing regulatory requirements? Our boards understand the risks of noncompliance and equally understand what must be done to prevent potential fines. Does the business care about becoming ISO27001 certified? Does it care about security best practices? Probably not. But does it care about complying with the EU GDPR and other regulations? Most definitely, yes.
  • Budget: Compliance drives business priorities and in turn, results in substantial investment in the controls needed to help the organisation become compliant. As the potential impact of non-compliance is quantifiable, and the board is aware of, and engaged in, regulatory matters, the business is more likely to allocate resources to projects that aim to fill compliance gaps.

How can your team leverage compliance to become more secure?

Even though ‘compliant’ does not mean ‘secure’, security and IT professionals can leverage regulations to elevate the need for security best practices. Including regulation requirements under the broader cybersecurity risk framework will get the business thinking about other cyber risks that could affect operations.

Using the GDPR as an example again, one of its key requirements is that organisations have a good understanding of all the EU personal data they currently hold and that they can determine where that data resides. Well, data classification is also a certification requirement for key security standards, ITIL, NIST SP800-53, ISO27000, PCI, HIPAA, SOX, SOC 2, COBIT Security, and FedRAMP! Security teams can leverage the GDPR to drive other data security best practices across the organisation, going beyond the scope of EU resident data to protect all crown jewels.

Regulations present a golden opportunity for security and IT teams to grab the attention of their boards, elevate the need for ‘good’ cybersecurity practices, and secure the budgets necessary to implement innovative cybersecurity strategies and roadmaps. Combined with compliance, cybersecurity becomes a top priority in the ever growing list of objectives our businesses face.

For a deeper look at how your organization can plan, act, and respond to GDPR compliance requirements and prevent data breaches of EU PII, I encourage you to download and read our GDPR Playbook.