In today’s complex regulatory landscape, organizations must resist the urge to prioritize compliance over comprehensive cyber resilience. Christos Tulumba, CISO of Veritas Technologies, explores why focusing on fundamental security practices yields better results than a checkbox approach to meeting regulatory requirements.
Editor’s note: The author of this article is chief information security officer at Veritas Technologies, a data management provider.
The ever-evolving regulatory environment — from the Digital Operational Resilience Act (DORA) in the EU to the continued evolution of FedRAMP to numerous state-level data protection laws — has created a complex tapestry of compliance requirements. For many organizations, this has led to a scramble to tick checkboxes to meet specific criteria, often at the expense of a cohesive, overarching cyber resilience strategy.
This approach is short-sighted and dangerous. While compliance is crucial, it should be a natural outcome of robust cyber resilience practices, not the driving force behind them. As businesses navigate evolving regulations, it’s essential to remember that the fundamental principles of cyber resilience remain unchanged:
- Comprehensive asset visibility and monitoring
- Properly configured perimeter defenses
- Strong security policies for things like passwords, the principle of least privilege and remote and personal device access
- Robust backup and recovery capabilities
- A security-centric culture through employee cybersecurity awareness
- Test and rehearsal
As a chief information security officer, there are three elements on this list I see most often lacking at organizations: comprehensive asset visibility and monitoring, robust backup and recovery capabilities and security-centric culture.
Comprehensive asset visibility and monitoring
The first step in any effective cyber resilience strategy is knowing what needs protecting. This means having a complete inventory of all assets, from endpoints and servers to cloud resources and connected smart devices. But it’s not enough to simply have a list, organizations need real-time visibility into the status and behavior of these assets. Implementing a thorough asset discovery and monitoring strategy should include:
- Automated discovery and classification of assets
- Continuous monitoring for changes and anomalies
- Integration with threat intelligence feeds for real-time risk assessment
- Comprehensive logging and audit trails
By maintaining this level of visibility, an organization is not only better positioned to detect and respond to threats, but also demonstrate compliance with various regulatory requirements.
While the benefits of comprehensive asset visibility are clear, maintaining this visibility has become extremely challenging in today’s complex, hybrid IT environments. The modern organizational network is a dynamic ecosystem, constantly shifting and evolving, which presents several unique challenges for security teams.
One of the primary difficulties lies in managing cloud-based assets. Unlike traditional on-premises infrastructure, cloud resources can be spun up or down dynamically, often in a matter of minutes. While beneficial for business operations, this flexibility can create blind spots in asset monitoring. Traditional asset discovery tools might miss a virtual machine that exists for only a few hours yet could still present a significant security risk if compromised.
Shadow IT and other unauthorized assets represent another significant challenge. As employees increasingly adopt cloud-based tools and services without IT approval, organizations face the risk of data being stored or processed on systems outside their visibility and control. These unauthorized assets can create significant security vulnerabilities and compliance risks.
To address these challenges, organizations must implement multi-layered monitoring strategies that adapt to diverse IT landscapes. This might involve combining traditional asset discovery tools with cloud-native monitoring solutions, implementing network segmentation and using user and entity behavior analytics to detect unusual activity that could indicate shadow IT usage.
Planning on Using AI for Security Compliance? Are You Sure You Don’t Just Need Automation?
Neither AI nor automation should be deployed without human oversight
Read moreRobust backup and recovery capabilities
With the alarming rise of ransomware, solid backup and recovery capabilities are perhaps the most important element of an effective cyber resilience strategy. It’s the last line of defense against attacks that increasingly try to lock organizations out of their data. And it goes far beyond simply having backups — it’s about ensuring backups are comprehensive, secure and quickly recoverable in a crisis.
Backing up data should follow the 3-2-1 best practice: keep at least three copies of data in different locations on at least two distinct storage mediums with at least one copy stored offsite and on immutable storage.
Arguably, even more important than backing up data and apps is the ability to recover them post cyber incident. All the backups in the world do no good if they can’t be quickly and fully recovered and restored. This requires frequent recovery rehearsals. Practice makes perfect.
A well-integrated approach to asset visibility and backup and recovery is essential for comprehensive cyber resilience. At its core, integration allows organizations to align their backup strategies with their most critical assets. Asset visibility tools provide a clear, real-time picture of an organization’s IT landscape, identifying and categorizing all devices, applications and data stores. This information is invaluable in shaping backup and recovery priorities. Instead of a one-size-fits-all approach, organizations can tailor their backup frequency, retention policies and recovery time objectives based on the criticality of each asset and regulatory requirements.
Many regulatory frameworks, such as the GDPR, require organizations to comprehensively understand their data assets and robust measures to protect this data. By combining backup and recovery with asset visibility, organizations can more easily demonstrate their compliance. They can show that they know what data they have, where it resides, how it’s protected and how quickly it can be recovered in case of an incident.
Fostering a security-centric culture
While robust technical measures are crucial, the human element of cyber resilience is equally critical. When leaders demonstrate that cyber resilience is a business imperative, not just an IT issue, it transforms how the entire organization approaches security. Taking a top-down approach includes regular cyber resilience briefings for executives, allocation of adequate resources and visible participation in security awareness activities.
Effective, ongoing communication is central to a cyber resilience-conscious culture. This involves transparent incident reporting; regular updates on new threats and protection measures; and clear, accessible security policies. Equally important is providing comprehensive security education tailored for different roles and departments, using both formal training and informal learning opportunities. Compliance significantly improves when employees understand not just the “what” but the “why” of cyber resilience measures.
For cyber resilience to truly become part of the organization’s DNA, it must be integrated into everyday business processes. This means including security considerations in project planning from the outset, making cyber resilience a key factor in vendor selection and management and regularly conducting and acting on security risk assessments. By fostering this robust cyber resilience culture, organizations can ensure that technical measures like those listed above are not just implemented, but are woven into the fabric of the organization, supporting compliance efforts and enhancing overall resilience.
In closing
Focusing solely on compliance checkboxes is tempting when facing today’s complex regulatory requirements. However, true cyber resilience comes from focusing on fundamental practices that enhance overall security posture, especially comprehensive asset visibility and monitoring, robust backup and recovery capabilities and fostering a security-centric culture. Remember, compliance should be a natural outcome of effective cyber resilience practices, not their primary driver.