Defense in Depth
Is "Compliance Doesn't Equal Security" a Pointless Argument?

A security program shouldn't stop at compliance, but that doesn't mean we should undervalue it either. It's easy to just say compliance comes down to ticking boxes, but that can still deliver value to a security program. Why is compliance important and why is it often getting a bad name these days?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our guest Derek Fisher, executive director of product security, JP Morgan.

Compliance sets a standard

While it may be easy to characterize compliance as a perfunctory checklist, “it’s usually based on some well-established standard, whether it's a framework or just a giant list of security controls. The point is to establish a benchmark. It's a solid beginning,” said Shawn Olson of Foundation InfoSec Services. But even well-grounded compliance requirements only set out an end goal. Organizations still need to figure out how to get there, said Aditya Sarangapani of WNS: "You still need to define the processes and procedures that meet the guidelines and your business requirements. You need to identify the scope of what is compliant." 

Business connect with compliance

It’s often easier to connect compliance to the business than cybersecurity considerations. "The problem lies in cases where a particular security measure isn't considered compliant due to its industry's compliance requirement. The tension often is between the ones in the trenches and the ones approving the budgets," said Arnold Rogers-Beckley. This tension becomes a sore spot with cybersecurity practitioners when it’s disconnected with risk. "With compliance, people tend to get fixated on ticking all the boxes. This leads to waste when we all know that cyber security resources are always finite and in short supply," said Sean Lengyel of Simply SecOps.

Building a virtuous circle

It can be a mistake to put compliance and cybersecurity at odds. The ability to meet compliance, of effectively achieving a framework standard, can create better infrastructure. "A well-executed compliance plan equals the maturity of your controls. Mature controls ultimately drive to lower your inherent risk so hopefully you’re left with manageable residual risk, “ said Ionel Chila of Cornerstone Capital Bank. While compliance and security ultimately manage different purviews, the tools needed to achieve both can serve as complimentary. 

Organizations can’t stop at the minimum

Ultimately, if a company holds cybersecurity and data protection as a core ethos, compliance can serve as a cybersecurity enabler. "Compliance will always make the organization more secure. But if they're staffing and executing based on this bare minimum, then there's really no true belief in cybersecurity and data protection for their customers," said Jack Nunziato of DoControl. Compliance and cybersecurity must stay focused on enabling the overall mission of the business. Coming back to the business can make one of these aspects revealing to the other. "Compliance can be a ‘gateway drug’ to improve organizations. Some start with an attitude around doing what must be done, but their eyes are opened to an array of unmanaged risks in the process," noted Duane Gran of Converge Technology Solutions. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, RevealSecurity

Super Cyber Fridays!
NEW DATE! Join us NEXT WEEK, Friday [02-09-24], for Super Cyber GAME SHOW Friday

Join us Friday, February 9, 2024, for “Super Cyber GAME SHOW Friday”, one hour packed with cyber games. We'll be bringing our audience into the show to play some of our favorite games.

It all begins at 1 PM ET/10 AM PT on Friday, February 9, 2024. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Mary Rose Martinez, vp, CISO, Marathon Petroleum Corporation.

Thanks to our Cyber Security Headlines sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

"What is cybersecurity like in the military?" (More here)

“How much are you making in your GRC role?” (More here)

"Security vendor local spam calls" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [02-09-24] Super Cyber GAME SHOW Friday

• [02-16-24] Hacking Compliance Vs. Security

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.