Main Menu
  • Home
  • Solutions
    • Awareness & Training
    • Information Security Consulting
    • Cloud Security & Compliance
    • Managed Security Operations Services
    • Penetration Testing Services
    • Program Assessment Services for Governance, Risk, and Compliance
    • Risk Management
      • Understand Your Risk
      • Risk Remediation
      • Monitor Your Risk
      • Security Technology Implementation
    • Secure Software Development Life Cycle (SSDLC) Solutions
    • SMB Security
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
  • Contact An Expert
The Penn Group, LLC Columbus Ohio Logo
  • Home
  • Solutions
    • Awareness & Training
    • Information Security Consulting
    • Cloud Security & Compliance
    • Managed Security Operations Services
    • Penetration Testing Services
    • Program Assessment Services for Governance, Risk, and Compliance
    • Risk Management
      • Understand Your Risk
      • Risk Remediation
      • Monitor Your Risk
      • Security Technology Implementation
    • Secure Software Development Life Cycle (SSDLC) Solutions
    • SMB Security
  • About
    • Core Values
    • Leadership Team
    • Careers
    • Blog
  • Free Consultation
  • Contact An Expert
  • Phone (614) 741-5306
  • Email sales@thepenn.group
  • Address 412 Aster Lane. Gahanna, Ohio. 43230

Pursuing Compliance: Here Is Why You’re a Walking Data Breach

Home  ›  Cybersecurity  ›  Pursuing Compliance: Here Is Why You’re a Walking Data Breach

Pursuing Compliance: Here Is Why You’re a Walking Data Breach

Cybersecurity Strategy: Compliance < Security

For as long as information security has been a function of the organization, there has been justified tension between focusing on compliance and pursuing security in the matter of cybersecurity strategy. One of the most frustrating pressures to deal with as a security leader is budget. Your business stakeholders want to spend less on security, and you have to somehow figure out how to roll out next generation anti-virus to 10,000 endpoints to keep your business process secure. Often the conversation of cost is a driving factor in deciding the security strategy of your organization. Ultimately, a given organization has to content with cost prohibitive constraints. Often, the organization elects to abide by compliance requirements as the driving factor for the implementation of cybersecurity. After all, you have to meet compliance requirements. This approach leads to what I call The Walking Data Breach. The Walking Data Breach is an organization that has a false sense of security as a result of the satisfaction of compliance requirements.

Strategically, if a data breach can be prevented with only $10 million a year, opposed to $12 million a year, it can be difficult to justify the extra two million in expenditure. The problem with this logic is: a data breach simply cannot be prevented. A data breach can only be avoided. No matter how good your security is, criminals will find a way. This brings us to the primary point:

If your goal is compliance, you will never be secure. If your goal is security, you will always reach compliance.

The Compliance Problem

The fundamental problem with pursuing compliance is that compliance is a set of rules and regulations the organization must follow by a governing body. Criminals, at their most basic of level, are rule breakers. Rule breakers won’t play by the rules you’re governed by. The second problem with pursuing compliance is: compliance requirements were never meant to guide security programs. When the government creates public policy, the policy is created a lot like you would create policy with your organization. Broad, high level requirements that commit the organization to do something. With public policy, legislators cannot be too prescriptive in the regulations they write, because organizations would have a difficult time achieving all of the requirements. This would apply undue pressure on businesses that aren’t quite ready for a strong security program and would subsequently cause overregulation. The balance is the creation of a basic set of security requirements which must be followed, under the assumption that organizations will do more. Your organization should do more.

When security is your goal, you will always reach compliance. This idea is driven out of the assertion that compliance requirements are written with security in mind. Here is an example: The fictitious compliance requirement states you must perform a penetration test every 5 years. In practice you penetration test every year, or upon a significant change to the application to assure its security. By implementing strong security practices, you more than achieve compliance.

It is important to also consider the risk associated with your security implementation. If your goal is security, it can be easy to go overboard into over securing your assets, which wastes organizational resources. You wouldn’t want to build a 30ft wall in front of a church. The appropriate security measures for your organization must be guided by the organization’s risk appetite. The risk appetite is a guiding strategic statement for your organization that describes what level of risk your organization will accept. If the organization Is a bank, then the risk appetite would be very low, as you wouldn’t want lingering cybersecurity risks in a financial institution. If your risk appetite was high, you’d likely be a smaller business, and your impact in a given loss would be significantly less.

The Walking Data Breach organization has a false sense of security, fueled by their satisfaction of their compliance requirements. Criminals continue to get better every single day. Your organization must prioritize security over compliance and implement security to the level of your risk appetite.

Free Consultation

60

SHARES
facebook Share on Facebook
Twitter Tweet
Follow Follow us
custom Share
custom Share
custom Share
custom Share
custom Share

Post navigation

« Build Your Security Operations Center (SOC)
How To Build a Cybersecurity Program »

Leave a reply

Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Our Experience

  • Consultant Qualifications
  • CISSP (Certified Information Systems Security Professional)
  • CCSP (Certified Cloud Security Professional)
  • CompTIA Security+
  • CEH (Certified Ethical Hacker)
  • Offensive Security Certified Practitioner (OSCP)

 

  • Industry Experience
  • Federal Government
  • For-Profit Enterprise
  • For-Profit Small-Medium Business
  • Non-Profit

Our Commitment To You

You are not a number, but a partner

One of The Penn Group’s core values is Excellence. Our customers deserve our best, and nothing short. We are on a mission to secure our nation’s information systems, and protect our customers. We don’t take the responsibility lightly. We know that all it takes for one wrong click and reputations and lives can be ruined. We bring out best. We develop the best people, and we deliver the best results, anything less is unacceptable.

Austin Harman, President & CEO, CISSP

Receive Security Insights In Your Inbox

Search

Get in Touch

Find Us

Address
412 Aster Lane.
Gahanna, Ohio 43230

Hours
Monday—Friday: 9:00AM–5:00PM

The Penn Group, LLC Logo Footer

We help organizations improve their security posture to defend against cyber criminals.

  • Information Security Consulting
  • Managed Security Services
  • SMB (Small & Midsize Business) Security
  • Free Security Consultation
  • Contact The Penn Group

© 2020 The Penn Group, LLC.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. The Penn Group does not and will not sale your data. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT