Understandably, most businesses prioritize compliance when it comes to security risks. But as KnowBe4 CEO Stu Sjouwerman explains, a compliance mindset can create a false sense of security in the world of cyber threats.
Compliance is an ongoing business concern, especially in the world of cybersecurity. Compliance is actually the biggest driver (59 percent) of the identification of an organization’s security needs instead of business risk reduction. This is probably because an increasing number of regulatory bodies mandate that organizations abide by security standards like GDPR, HIPAA and SOX.
Organizations spend large amounts of money, time and resources trying to meet audit requirements, and when they successfully meet criteria and pass tests, they often get a false sense of security that they are battle-ready against real-world cyber threats. Unfortunately, this is far from true.
Compliance is only a small part of cybersecurity, and there are many reasons why compliance is inefficient in reducing cyber risks.
1. Compliance is an audit mentality
When the unsinkable Titanic sank in 1912, it was fully compliant with all marine regulations. In fact, it exceeded the number of lifeboats mandated by the British Board of Trade at the time. But when catastrophe struck, the ship was not equipped with enough lifeboats to save all passengers on board. The problem? Management, too focused on meeting compliance, undermined real-world risks. Cybersecurity compliance too is a lot like that. There’s a compliance document where every checkmark becomes as valuable as the next checkmark. Security teams develop a kind of checkmark mentality because the end goal is not to be secure but to be compliant.
2. When compliance conflicts with security, compliance always wins
In many cases, especially with enterprises, the C-suite is responsible for making sure the company meets its compliance requirements. Leadership often does not want to hear about any deviating from those requirements for the sake of security. That’s because oftentimes they’re legally obligated to meet those compliance requirements. For example, a business that operates in a fully cloud, perimeter-less environment might need zero-trust more than a firewall. Yet some businesses might still be obligated to have a firewall in place (even though it’s not needed), to meet legislative requirements.
3. Compliance controls are not ranked for risk relevance
Compliance documents view risk as bubbles in a glass of champagne. They fail to inform security teams that two or three of those bubbles are much larger than all the other bubbles put together. For example, phishing and unpatched vulnerabilities are one of the top root causes of all cyber attacks but most compliance documents fail to highlight or prioritize those risks.
4. Compliance is binary
Auditors will typically ask yes/no questions, such as whether the organization conducts software updates and backups and has firewalls. In case there is a minor deviation, auditors view it only as an exception or a failure because they can check only for a yes or no response. In reality, security isn’t binary. It generally falls along a spectrum of continuum — from no security to all possible security.
5. Compliance documents do not provide enough detail
Most compliance documents fail to set clear expectations and define clear guidelines. For example, compliance documents might say, “One should apply critical patches in a timely manner.” But what does “in a timely manner” mean? What is a critical patch? Or, “One should collect reviews and logs.” Which logs? What type of review? “One should back-up data and regularly test it.” Test in what way?
Since such details are not clearly defined, it creates a lot of confusion. In the end, everyone knows (including the auditor) that the audit isn’t very accurate. Saying “We are fully compliant with patching” literally means nothing. One might end up patching 15,000 things that never got attacked but end up missing out on patching the five riskiest applications and still be compliant with vague statements.
How businesses can achieve compliance and risk reduction at the same time
Bottom line, businesses need to put risk ahead of compliance, as compliance doesn’t always lead to adequate security. Start with risks and vulnerabilities in the order of their importance: exploits actively being used against you, exploits likely to be used against you in the near future and exploits that were successfully used against you in the recent past. Use a vulnerability scoring system (such as the CVSS) to rank your risks.
Less than a handful of threats comprise the vast majority of real risks. Focus on the root causes of exploitation, such as social engineering and unpatched software. Start by patching internet-facing applications (browser, OS, productivity apps, browser and add-ons). Where compliance conflicts with security, invest in education and set clear expectations. Discuss with management about the differences between compliance and security, explain why security should win and agree how compliance expectations will be handled.
Since compliance and risk management go hand in hand, it might also be a good idea to leverage GRC (governance, risk and compliance) platforms, as these can help track your compliance progress, drive mitigations against the most likely risks and monitor changes in controls over time.
Compliance is not an obligation but an opportunity. Organizations that recognize this and live everyday like it’s Audit Day will not only fare better at compliance but also achieve real reduction in cyber risks.