Security teams are already overwhelmed with keeping up with threats and protecting the network and the data that flows within it. Especially when working in a highly regulated industry such as finance, healthcare, or utilities, it can be a real challenge to keep up with all the changes in regulation.
What’s wrong with compliance?
We have quite a few members of our team who have been involved in consulting with regulatory bodies. Some of them still do. The people who make up these councils are usually the best and the brightest in the industry – and sometimes there is an ego that goes along with that. One person says something philosophical about security and causes a rabbit hole which creates a bit of a disconnect from the actual need.
Compliance isn’t security…
…but they intersect quite a bit.
Going the extra mile with cyber defense
When it’s time to do your compliance laundry list, adding in a cyber defense option can help bring more security ROI. Yes, it might cost less in the short-term to get a service that satisfies the compliance requirement. That cost won’t look as good when you pass your audit and fail an actual attack.
Attackers don’t care about compliance
You can spend your entire budget on being compliant and still get attacked. It is a delicate dance between keeping up with the regulators and the actual threats that exist. Laws can take years to change, breaches can happen in seconds.
Getting offensive with compliance
We have to change the way we look at compliance. Rather than treating it as an obligatory exercise, use it as an excuse to bring extra elements of security in. We look at these regulations like perfume: You don’t drink perfume because it’s poison. You smell perfume and decide what works best for your situation. This is what we need to do with regulation. Use the regulation as a guideline and find the way to achieve both compliance and actual cyber defense. Using a vendor who specializes in the attacker’s mindset is a great tactic here. Ensure you meet all the requirements, sure. Don’t stop there. The findings you get from the assessment need to have an attacker’s perspective element as well. This makes the task that used to be eye-roll worthy actually worth the money you’re spending.
Want help with cyber defense?
HolistiCyber focuses on the nation-state grade threat to the enterprise. Would you like to speak to one of our nation-state trained experts? Reach out to us on our Contact Us page or any of our social channels!
