Interviews

No carrot for non-compliance

by Mark Rowe

Expectations of security are increasing in every region, making it vital that enterprises understand the risks to customer data and information to retain their trust. By managing new cybersecurity threats, enterprises will be able to demonstrate their commitment to minimising risks to their customers, writes Morgan Jay, Area Vice President EMEA at the cyber security product company Imperva.

However, every day brings new varieties of threat, making the prospect of absolute protection an impossibility. That’s why every organisation needs to prioritise and implement the best security and data control objectives for their unique landscape.

We see organisations with strict compliance requirements such as banks focusing their security efforts on how to efficiently meet their regulatory obligations. On the other side, there are those organisations who use the aftermath of detected threats and incidents as indicators of where to prioritise security efforts. While both of these tactics are very different, they are both ad-hoc approaches that can only address short term risks to organisations.

The next best step for organisations to ensure maximum protection for their customers is a future-focused approach to assessing risk over a longer timeframe. In the wake of GDPR, we’ve seen many great security programs established to meet this new compliance regime. Compliance mandates, such as GDPR, provide organisations with the opportunity to investigate and locate sensitive data beyond the strict bounds of compliance to drive value for the whole organisation. By being aware of where these datasets are located, organisations can have a greater control over these data assets.

Unfortunately, some programs have only been a last-minute box-ticking exercise that doesn’t go any further than exactly what the regulations prescribe. In fact, in the first six weeks following the imposition of GDPR, data breach complaints actually rose by 160 per cent. This symbolises a flaw in several key compliance mandates.

A compliance first approach is not enough.

The assumption has been that these regulations have been introduced in part to protect enterprises, but the reality is that they’re designed to protect the sensitive data of individuals. Ultimately, there is no carrot for non-compliance, only a stick. Simply adopting a compliance first approach will not be enough to develop a holistic cybersecurity strategy. Greater planning and internal strategy are needed to work alongside current methods to develop the ultimate cybersecurity strategy.

This is where a risk-based approach to cybersecurity comes into play. Essentially, this involves performing a holistic assessment of possible threats and assessing where these threats line up with your current security vulnerabilities. Where each threat intersects with a vulnerability, a risk is assigned a score which also considers the impact on the enterprise if the risk materialises in an incident. Once a score is assigned, risks can be viewed along a spectrum between low risk (which signifies that the possibility of an incident occurring is low and the potential effects to an enterprise are minimal) and high risk (which suggests that the risk will have a high adverse impact and has a high likelihood of occurring).

Developing these risk scores should involve broad stakeholder consultation to truly understand the effects of a potential incident, and what your current capabilities are for mitigating them in the wake of an incident. Some risks have less to do with technology than they do with processes, so technology leaders need to consult with LOB managers and functional departments to understand their needs, and to gain buy-in for prevention efforts. However, the technology element of risk in relation to data also needs to be understood by every senior leader within the enterprise.

Technology decisions made within a risk-based approach could adversely affect an organisation’s operations and competitive ability, so leaders need good quality analysis from security teams to support their decisions to implement security controls. Ultimately, we cannot pretend that any enterprise has the ability to protect against every threat imaginable. The assessment of the best security controls and technology will be different for every organisation, and it requires a good measure of strategic planning to be carried out effectively.

Related News

  • Interviews

    Information risk

    by Mark Rowe

    A second annual pan-European Information Risk Maturity Index showed businesses have grown more aware of the threat posed by information risk, but…

  • Interviews

    March 2019 print issue

    by Mark Rowe

    Are the homeless a security issue? is a question posed in the March 2019 print issue of Professional Security magazine, writes editor…

  • Interviews

    Christmas run up

    by Mark Rowe

    Office parties are being planned and Christmas music will soon be on the radio, but with festive cheer will come an increase…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing