Regulatory Compliance Does Not Guarantee Security
Many organizations boast about their regulatory compliance and the certifications that they have obtained. In fact, achieving and maintaining compliance with certain regulatory requirements is necessary for some organizations to do business and/or process certain types of protected information.
While regulatory compliance is a great place to start, it does not guarantee that the organization is protected against cyber threats. Every retailer that has suffered a breach of payment card information was certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). However, in post-breach investigations, a common theme of security and compliance issues was discovered.
This gap between compliance and security exists for several reasons. During a compliance audit, an assessor may have overlooked an issue. Or, as in the case of 63.3% of PCI DSS “compliant” organizations, the company may have been compliant at the time the audit was performed, but has let their security lapse between assessments. Alternatively, the organization could have been breached simply because the security controls required for compliance were not enough to protect the organization against real-world cyber threats.
Compliance Should Be the Floor, Not the Ceiling
The security requirements that are outlined in regulations are a good starting point when developing a cybersecurity strategy. Failure to put these security controls, policies, and procedures in place results in a cybersecurity plan that is inadequate to protect sensitive data and may result in lawsuits and regulatory penalties.
However, the fact that a single regulation requires certain security controls to be in place does not mean that these controls will thoroughly provide a reasonable level of protection against cyber threats. In fact, the security controls required by law are likely to be inadequate for several different reasons:
- Regulations are infrequently updated. The process of updating data protection laws can be complex, and an updated version can be years in the making. This means that the current version of a regulation likely does not address next-generation technology (such as 5G or the blockchain) or the latest cyber threats.
- Regulations are “one size fits all.” Data protection laws are designed to apply to every organization within their jurisdiction even though these organizations each have a unique network environment and business processes. This makes it impossible to lay out a set of required security controls that perfectly meets an organization’s security use cases.
- Regulations are designed to be a set of minimum standards. Regulatory authorities lay out a set of minimum standards as a basis for penalizing organizations that are criminally negligent in their protection of personal data. These standards are not designed to be a complete security policy or to protect against all cyber threats.
When designing a cybersecurity strategy, regulatory compliance requirements should be the floor, not the ceiling. While a failure to do anything more than the minimum requirements may not result in regulatory penalties, a data breach or other cybersecurity incident that capitalizes on an organization’s inadequate cybersecurity can still cause significant financial and reputational damage to an organization.