Why Compliance is for Guidance, Not a Security Strategy

Chief information officers face challenges obtaining buy-in to invest in cybersecurity. Yet equating compliance to security is the biggest mistake CISOs are making.

Guest Commentary, Guest Commentary

April 15, 2020

4 Min Read
Image: Michael Traitov - stockadobe.com

It’s a problematic question security teams get asked by the business side throughout their careers: “If we’re compliant, why do we need to continue investing in cybersecurity initiatives?”

The answer can be found in a quick internet search. Take the Equifax data breach, for example. In September of 2017, Equifax, one of the largest consumer reporting agencies, announced a breach affecting more than 800 million individual consumers and 88 million businesses worldwide. Their network was compliant, but they failed to implement an adequate security program to protect its customers’ sensitive and private information.

However, catastrophic breaches, like Equifax, leave senior executives and board members unfazed. Sixty-four percent of executives around the world -- and 74% of those in the US -- feel that adhering to compliance requirements is a “very” or “extremely” effective way to keep data secure, according to 451 Research. Often, their strategy defaults to the following logic: As long as we’re up to legal standards, we’ll transfer any additional risk to insurance.

But in recent years, that philosophy has been challenged. In fact, large companies like Mondelez took that approach until their cyber insurance provider pushed back, citing a common, and previously rarely used clause in insurance contracts called the “war exclusion.” The clause states that with nation-state hackers, insurers can claim companies as collateral damage in cyberwar.

Regulators are beginning to work to combat these mistakes, encouraging organizations to appoint members to the board who are well-versed in information security and can ask the right questions to ensure a meaningful security strategy is in place. Nonetheless, without a requirement passed, this remains just that -- a suggestion.

A never-ending battle

This predicament leaves security experts fighting a two-front battle: one with hackers trying to gain access to a company’s most sensitive business data, and the other with senior leadership regarding funding for security products.

In today’s digital age, once an organization improves its security posture in one area, hackers simply move to a different attack vector. And to protect against a new vulnerability, it often requires additional budget -- whether that’s in additional headcount or security products to increase control.

Executives are concerned about the company’s bottom line, and rightfully so. It’s their job to ensure a business is practicing fiscal responsibility and reaching revenue goals. As they see the increase in spending, budget fatigue sets in. Decision-makers want to understand when they will reach a maturity model in which the business can stop investing in cybersecurity.

The unfortunate answer is never. Businesses are fighting a dynamic advisory, and as technology evolves, so do hacker tactics. So, how do forward-thinking CISOs and security experts ensure their company doesn’t fall victim to the next big data breach?

A strategy fit for your business

The first thing security professionals need to understand is that when they assume everyone realizes the risk of leaving security up to universal compliance standards, they’re wrong.

However, with the onslaught of recent regulatory standards, like GDPR and CCPA, and compliance top-of-mind with board members, it provides a timely occasion for security teams and senior leadership to meet and develop a thoughtful approach for protection and compliance.

A fundamental piece of both initiatives is to understand a business’s data landscape. Where does the data live? What traceable regulations does a company need to know about?

Most organizations will stop there and apply a compliance-based security method where every system gets the same approach to patching and protection. Yet, effective CISOs will take it a step further and change the risk paradigm, asking leaders difficult questions about business vulnerabilities.

For instance, what system within our business has the most sensitive information? Could it be systems with confidential data on potential mergers or acquisitions? Or critical business applications that store customer, financial, sales, and human resources data? On the surface, it may not seem like these systems are the most important. Still, once the implications of losing or disrupting this data are realized, teams can start to prioritize protection for their specific business needs.

Compliance as guidance

No governing agency can tell you how to protect your network best. Compliance frameworks and regulations are high-level guidelines on which risks need to be addressed. When viewed through the right lens, though, they can serve as a helpful start on the journey to a more meaningful security strategy.

With this in mind, and support from senior leadership, security teams can use these frameworks to understand their data landscape better and prioritize protection where it matters most. Then, and only then, will businesses have the proper foundation to a security posture that reflects the way an organization does business. This process will help security teams check the compliance box with confidence that their most critical business information and data are secure. 


With over 20 years of information security and IT leadership experience, Jason Fruge leads Onapsis’ Global Professional Services team, a critical part of Onapsis’ customer success efforts. Previously, as CISO at Fossil Group, he was responsible for providing leadership and information security advice, governance and subject-matter expertise to the company’s executive leadership and global team of technical staff who manage critical distributed information systems.

About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights