Compliance will not give you good security, although effective security can help to support compliance programs, experts argued today.
During a panel debate on day two of Infosecurity Europe, Upp director of information and cyber, Ian Hill, warned that regulations often say “what you should do, but not how to do it.”
He added that many fail to keep pace with the reality of working in cybersecurity, citing how it took the ISO 27001 standard nine years to include the common scenario of data leak prevention.
Laure Lydon, senior director of security governance and assurance at Babylon, urged organizations to follow the general guidance that compliance frameworks offer, but to always put them in the context of the business itself.
“It’s about taking the intent of regulations and standards and using those, because they still very much have a place. They give us good frameworks to work from and provide a level of assurance that’s sometimes needed,” she added.
“But we need to be cautious of resting our laurels on false assurances, and instead taking the intent of the compliance frameworks out there and applying them in a way that supports good security.”
Read more on compliance: Making PCI Compliance a Good Habit.
Allica Bank CISO, Peter Smith, said that there’s often a big difference between the compliance status of an organization and the reality.
“We’ve all worked for companies with beautifully crafted high-level policies, but nobody’s read them even though they’ve passed the audit,” he added. “So a key part is to ensure processes are aligned. It’s very important to understand what’s needed but also to make sure the company’s actually doing those things.”
University of Nottingham professor of cybersecurity, Steven Furnell, agreed.
“Compliance isn’t itself the goal, security is the goal – so that’s what we need to have our eyes on,” he argued. “Just because we are compliant with something doesn’t necessarily mean it’s being followed through in the underlying practice.”
Lydon advised organizations to “take a step back” when looking at a new set of requirements.
“Sometimes when we look at brand new set of compliance requirements, we obsess on ticking every box,” she argued. “Often if we can think about ‘how does it strengthen what we do’ … and work backwards in how we can meet that requirement, that is best. It’s about not being dictated to by the letter of the standard and thinking about the application of it in a practical context.”
The cybersecurity function should be an ally in helping business units achieve this, rather than an enforcer, Smith added.
“Teach other teams about security, helping them to empower themselves to know what looks good,” he said. “The role of security becomes more about guidance than something prohibitive.”