No Carrot for Non-Compliance – Only a Stick

Morgan Jay

Morgan Jay

Expectations of security are increasing in every region, making it vital that enterprises understand the risks posed to customer data and information in order to retain their trust. By managing new cyber security threats, asserts Morgan Jay, enterprises will be able to demonstrate their commitment to minimising risks to their customers.

Every day brings new varieties of threat, making the prospect of 100% absolute protection an impossibility. That’s precisely why every organisation needs to prioritise and implement the best security and data control objectives for their unique landscape.

We see organisations with strict compliance requirements such as banks focusing their security efforts on how to efficiently meet their regulatory obligations. On the other hand, there are those organisations who use the aftermath of detected threats and incidents as indicators of where to prioritise security efforts. While both of these tactics are very different, they’re also ad hoc approaches that can only address short-term risks to organisations.

The next best step for organisations to ensure maximum protection for their customers is a future-focused approach to assessing risk over a longer time frame. In the wake of the European Union’s General Data Protection Regulation (GDPR), we’ve seen many great security programmes established to meet this new compliance regime. Compliance mandates such as the GDPR provide organisations with the opportunity to investigate and locate sensitive data beyond the strict bounds of compliance to drive value for the whole organisation. By being aware of where these data sets are located, organisations can have greater control over them.

Unfortunately, some programmes have only been a last-minute ‘box-ticking’ exercise that doesn’t go any further than exactly what the regulations prescribe. In fact, in the first six weeks following the imposition of the GDPR, data breach complaints actually rose by 160%. This symbolises a flaw in several key compliance mandates.

Compliance first approach not enough

The assumption has been that these regulations have been introduced in part to protect enterprises, but the reality is that they’re designed to protect the sensitive data of individuals. Ultimately, there’s no carrot for non-compliance, only a stick. Simply adopting a compliance first approach will not be enough to develop an holistic cyber security strategy. Greater planning and internal strategy are needed to work alongside current methods in order to develop the ultimate cyber security strategy.

This is where a risk-based approach to cyber security comes into play. Essentially, this involves performing an holistic assessment of possible threats and assessing where these threats line up with current security vulnerabilities. Where each threat intersects with a vulnerability, a risk is assigned a score which also considers the impact on the enterprise if the risk materialises in an incident.

Once a score is assigned, risks can be viewed along a spectrum between low risk (which signifies that the possibility of an incident occurring is low and the potential effects to an enterprise are minimal) and high risk (which suggests that the risk will have a high adverse impact and has a high likelihood of occurring).

Developing these risk scores should involve broad stakeholder consultation to truly understand the effects of a potential incident and what the current capabilities are for mitigating them in the wake of an incident. Some risks have less to do with technology than they do processes, so technology leaders need to consult with LOB managers and functional departments to understand their needs and gain buy-in for prevention efforts.

Technology element of risk

The technology element of risk in relation to data also needs to be understood by every senior leader within the enterprise.

Technology decisions made within a risk-based approach could adversely affect an organisation’s operations and competitive ability, so leaders need good quality analysis from security teams to support their decisions to implement security controls.

Ultimately, we cannot pretend that any enterprise has the ability to protect against every threat imaginable. The assessment of the best security controls and technology will be different for every organisation. It requires a good measure of strategic planning to be carried out effectively.

Morgan Jay is Area Vice-President (EMEA) at Imperva

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts