Experts argued today that effective security helps support a compliance program, but compliance does not equal good security.
During a panel discussion on the second day of Infosecurity Europe, Upp’s director of information and cyber, Ian Hill, said the regulations “say what to do, but not how to do it.” I warned you that there are many.
Citing the example of the ISO 27001 standard that took nine years to include common scenarios for data loss prevention, he added that many companies have not kept up with the reality of their efforts in the cybersecurity space.
Laure Lydon, Senior Director of Security Governance and Assurance at Babylon, urged organizations to follow the general guidance provided by compliance frameworks, but always put it in the context of the business itself.
“It’s important to take the intent of regulations and standards and leverage them because they are still very well exploited. They give us a good framework to work with and We provide the level of assurance that is required in some cases,” she added.
“But we should be careful about settling for false assurances and instead taking the intent of the compliance frameworks out there and applying them in a way that supports good security.”
For more information on compliance, see Make PCI compliance a good habit.
Allica Bank CISO Peter Smith said there is often a big difference between an organization’s compliance posture and reality.
“We’ve all worked for companies that have beautifully crafted, high-level policies, but nobody reads them, even if they pass audits,” he added. “So the key is to make sure the processes are aligned. It is also important to check
Stephen Farnell, a professor of cybersecurity at the University of Nottingham, agreed.
“Compliance is not the goal per se, security is the goal. So that’s where we need to look,” he argued. “Just because we are compliant with something does not necessarily mean that its underlying practices are adhered to.”
Lydon advised organizations to “step back” when considering the new set of requirements.
“Sometimes when you consider a whole new set of compliance requirements, you get obsessed with ticking all the boxes,” she claimed. “Often, it’s best if we can think about ‘how it enhances what we do’ and work backwards on how to meet that requirement. , to think about its application in a practical context.”
The cybersecurity department should be a collaborator in helping the business achieve this, not an enforcer, Smith added.
“Teach other teams about security and help them decide what looks good,” he said. “The role of security will become directive rather than prohibitive.”
