The cyber-security landscape is plagued by the fact that cybercriminals seem to be permanently one step ahead and rather than addressing the problem, it seems that regulation is, in some cases, compounding the problem. Understandably, many organisations are opting to define security policies based on regulatory requirements, however the result is that their security postures become very quickly out of date. Not only are regulations 24 months old by the time they are implemented but by taking a compliance-only approach, businesses could actually provide hackers with an 'access blueprint'--as weaknesses in the security model that are not covered by regulation are clearly visible for any hacker to exploit.
As Paul German, CEO, Certes Technology, insists, a compliance first approach to security is fundamentally insecure. It is time for companies to change the mindset, go beyond simply meeting regulatory requirements and focus on truly protecting data.
With the number of high profile security breaches still hitting the headlines, organisations are clearly struggling to lock down data against the continuously evolving threat landscape. Yet these breaches are not occurring at companies that have failed to recognise the risk to customer data--indeed many have occurred at organisations that are meeting regulatory compliance requirements to protect customer data.
Given the huge investment companies in every market are making in order to comply with the raft of regulation that has been introduced over the past couple of decades, this continued vulnerability is--or should be--a massive concern. Regulatory compliance is clearly no safeguard against data breach.
Is this really a surprise, however? With new threats emerging weekly, the time lag inherent within the regulatory creation and implementation process is an obvious problem. It can take upwards of 24 months for a regulatory body to understand and identify weaknesses within its existing guidelines, update and publish requirements, and then set a viable timeline for compliance, often 12 to 18 months. During this time an organisation with a security strategy dictated by compliance is inherently insecure. Furthermore, these are catch all standards that are both open to interpretation and fail to address specific business needs or operational models--immediately creating security weaknesses.
Yet despite this obvious vulnerability, organisations are actually moving towards a compliance...