.jpg)
In the world of cybersecurity, compliance is a no-brainer. Adhering to corporate and regulatory compliance standards is critical for enterprises. And while compliance does not ensure active and constant protection against cybersecurity threats, it's a standard to aim for that can ensure stealthier cybersecurity for enterprises.
Chris Hughes, CEO of Aquia, said in a recent LinkedIn post that it's a good baseline for enterprises — and the most effective way to get organizations to invest in cybersecurity
“It is certainly the most powerful forcing function to make cybersecurity a priority, especially in the face of the fact that [cyberattack] incidents have negligible impacts on share price, revenue etc. and markets generally don't care.”
—Chris Hughes
On the flip side of the argument, there is concern about compliance as security relinquishing authority from security leadership to the legal departments within enterprises. The author Ross Haleliuk argued in a recent blog post (which Hughes referenced) that the compliance-as-security trend means "that the future of security will be defined by lawyers, not security practitioners."
This issue of compliance's effect on security came to the fore again in the industry after the 2021 research paper by Daniel W. Woods and Aaron Ceross, which noted that cybersecurity is becoming increasingly tied up in Legal. Here's what you need to know about the compliance-as-security trend — and how your organization can avoid the pitfalls of allowing security to be managed by lawyers.
[ See Special Report: How to Asses & Manage Commercial Software Risk ]
Risk mitigation: Calling all lawyers
Cybersecurity is largely becoming mired in legalese in reaction to larger trends such as the U.S. Securities and Exchange Commission's push for publicly traded companies' liability for security failures and new guidelines from the U.S. Cybersecurity and Infrastructure Security Agency, Hughes told RL Blog in an interview
“There is more emphasis around regulatory compliance and liability now with changes we see like the SEC and CISA liability than there is with cybersecurity directly. It is more about risk mitigation to the organization from a legal and a regulatory perspective, or to the individual than it is to risk reduction from a cyber-perspective.”
—Chris Hughes
Haleliuk’s post about the Woods and Ceross research paper caught Hughes’ attention. He said he was especially persuaded by its conclusion that cybersecurity is still immature and inefficient when it comes to quantifying impacts, investments, and ROI related to risks. Woods and Ceross concluded that lawyers will become the driving force in cybersecurity as issues including liability, regulation, and compliance dominate discussions in the future.
Hughes said in his LinkedIn post that the research Haleliuk cited lends credibility to his own compliance-as-security argument.
“So, to all the security practitioners bemoaning compliance, give it a second thought, because the reality is [that] in the absence of compliance, your organizations would likely have decreased investment and taken security less seriously than they already have."
—Chris Hughes
Haleliuk argued in his post that businesses must cope with additional challenges as they look at cybersecurity threats in new ways, and that argument resonated with Hughes. “We have heard a lot about cybersecurity risk quantification. But when you look at the industry, most organizations have not widely adopted those kinds of approaches because it is incredibly challenging to do so.”
Compliance makes enterprises act
One key argument for compliance as security, Hughes argues, is that new regulations make enterprises take action.
“Ultimately — and anyone who has worked in cybersecurity knows this — if you want the business to do something about security, compliance is the No. 1 way to get them to do it. If there is a compliance requirement that they must meet, they are much more likely to listen to you. That is how they get motivated to meet the requirements they need to follow."
—Chris Hughes
However, Hughes noted that compliance should not define the scope of your security approach. "Compliance is the floor, not the ceiling,” he said.
In a more detailed post about the compliance-as-security trend on his blog in October, Hughes argued that compliance rules provide critical minimum security requirements that set the groundwork to protect companies — even when their IT staffs are not providing adequate protections:
“In the absence of … compliance requirements, we would likely be less secure because businesses would do even less than they already do when it comes to security. Compliance at least forces them to do some kind of baseline levels of security. It is not perfect, but it is a hell of a lot better than if we had no compliance requirements.”
—Chris Hughes
All security leaders know that compliance does not eliminate risk, he said, "but because it is compliance, it does equal security. It is just not the elimination of risk. But nothing would eliminate all risks.”
Security remains a cost center
The situation is made even more complicated when you consider the market forces that dictate how corporations around the world reach to cybersecurity concerns and cyberattacks. The truth is that most organizations will not invest more in security than they are required to do, he said.
“Organizations rightfully view cybersecurity as a cost center. They will continue to pass the cost of insecurity on to customers, consumers, and society until they are forced to do otherwise.”
—Chris Hughes
And because companies are driven to maximize shareholder value, the costs of providing adequate security can take a back seat to securing their systems, Hughes said. “We know from various sources that publicized security breaches do not have significant or long-term impacts on stock price, meaning the market forces are not sufficient to systemically change behaviors of software vendors. In the absence of market forces, compliance is all we have left,” he said.
Going beyond checkbox security is key
The realities and conflicts of cybersecurity and compliance highlighted by Hughes and Haleliuk are playing out in enterprises today, said Josh Knox, senior technical product marketing manager at ReversingLabs. But that can't define your cybersecurity posture, he said.
“Compliance is a lot of checkboxes. It is a thing you must do. But it cannot be the whole thing."
—Josh Knox
There must be real security, and you need someone who knows what they are doing to come in and assess the security, Knox stressed. "You are not going to be able to do it through compliance or philosophy alone. It must be a real security assessment that is tailored for each group. And that usually means spending money and painful things, and organizations just do not seem to like doing that.”
With the security landscape shifting, practitioners must make sure that business leaders recognize their responsibilities to protect against the highest risks. In recent years, those have tended to be software risks, Knox said, and it's a mistake to put too much trust in software vendors. Companies must do their own due diligence.
“You must do what you must do to protect your company.”
—Josh Knox
