Cyber-security must reflect risk not just regulation

December 5, 2016

Security is often closely associated with standards and regulations, and there’s an assumption that if you are compliant, by default you are secure.

That’s a dangerous assumption says Nadav Shatz.

It’s an interconnected world, but for the connectivity to work securely, there are a myriad of standards and regulations to which companies need to adhere. It’s also a world with a bewildering array of IT security threats.

The normal response is to develop a company-wide compliance framework based on standards and regulations. While this approach means that standards and regulations are met, maintaining trust and keeping trade moving, this may not actually improve security.

Lessons from history

Cyber-security based on standards and regulations often only fixes yesterday’s problems, responding to challenges that have already been faced and dealt with by other organisations. It’s an approach that can make it difficult to respond quickly to the innovative threats that are emerging every today.

Standards and regulatory requirements provide a useful, industry-accepted framework, but it could be suggested that implementing them means that firms are only meeting the minimal security requirements. The people who want to breach security and get into a firm’s networks and take advantage of the data they contain are constantly innovating, so a security framework needs to be flexible to develop and evolve alongside the risk and the organisation’s environment, rather than just keep up with the regulations.

If a firm focuses on putting products or tools in place that address today’s risks, it could get sucked into an audit approach to standards and regulations which leaves it open to different attacks as the vectors change. In general it’s not just about the technology and the product, but how you use and deploy them to confront the risks.

Read full story…