As many information security professionals have understood for years, compliance is important, but it does not mean the organization is secure. Further, security professionals often find themselves feeling like they have to fight for their budgets.
A cycle can develop whereby the CIO and CFO want to understand and support only those resources that are needed to meet mandated cyber security compliance requirements. Once these resource requirements are known, that might be the level of funding that is provided. This can leave the organization exposed to a broader range of risks that fall outside the scope of compliance.
When a Compliance-driven Approach is Used
Running a risk management program focused solely on compliance not only leaves the organization exposed to unaddressed risks, but it also does not create competitive value. A critical business gap that results from a compliance-driven mindset is linked to the issue that cyber security compliance activities do not support innovation and growth.
First, there is no such thing as being “the most compliant.” Being compliant won’t make you stand out if your competitors are also compliant, but showing you have a proactive risk based approach to third party risk management could.
Further, compliance activities drain resources while protecting someone else’s interests. For example, payment card industry data security standard (PCI DSS) compliance shifts liability away from the organization and processors and back to the credit card companies. While compliance is certainly beneficial to the organization and its partners from a risk reduction perspective, it is of greater benefit to the credit card companies. Hence why the credit card companies created PCI DSS.
Also, it is critical to understand that compliance activities were not created for the benefit of your organization’s innovation and growth. While you have invested critical and scarce resources to innovatively fill a gap in the market, compliance regimes have not been structured to help protect your unique intellectual property and keep it from being lost, stolen, or compromised. Yet it is critical to protect these resources as your intellectual property is the blood that will sustain and grow your organization. The risk posed by cyber espionage, for example, has cost Fortune 500 companies billions of dollars and is just one of many concerns that fall outside the bounds of compliance regulations.
Benefits of a Risk-based Approach
1. Creates a competitive advantage over competitors focused solely on compliance. For example, instead of focusing on data at rest encryption to meet SOX, PCI or HIPAA requirements, focus instead on data at rest encryption for your sensitive data, whatever and wherever it is in your digital ecosystem.
2. Protects your unique resources that create differentiated products or services. Again, protecting your intellectual property is not a mission of compliance regimes; it is entirely the responsibility of your and your partners’ organizations. A risk-based approach allows you to better understand and focus resources where they matter most to your organization. Therefore, it is critical to know what your key resources are, where they are, and what can best be done to protect them in the most resource efficient manner.
3. Increases the strategic value of the organization. Your ecosystem will be more secure, which creates increased strategic value for your organization, your customers, and your third parties. The overall result is that your entire ecosystem becomes more valuable.