Home Opinion No Carrot for Non-Compliance – Only a Stick

No Carrot for Non-Compliance – Only a Stick

by Brian Sims
Morgan Jay

Morgan Jay

Expectations of security are increasing in every region, making it vital that enterprises understand the risks posed to customer data and information in order to retain their trust. By managing new cyber security threats, asserts Morgan Jay, enterprises will be able to demonstrate their commitment to minimising risks to their customers.

Every day brings new varieties of threat, making the prospect of 100% absolute protection an impossibility. That’s precisely why every organisation needs to prioritise and implement the best security and data control objectives for their unique landscape.

We see organisations with strict compliance requirements such as banks focusing their security efforts on how to efficiently meet their regulatory obligations. On the other hand, there are those organisations who use the aftermath of detected threats and incidents as indicators of where to prioritise security efforts. While both of these tactics are very different, they’re also ad hoc approaches that can only address short-term risks to organisations.

The next best step for organisations to ensure maximum protection for their customers is a future-focused approach to assessing risk over a longer time frame. In the wake of the European Union’s General Data Protection Regulation (GDPR), we’ve seen many great security programmes established to meet this new compliance regime. Compliance mandates such as the GDPR provide organisations with the opportunity to investigate and locate sensitive data beyond the strict bounds of compliance to drive value for the whole organisation. By being aware of where these data sets are located, organisations can have greater control over them.

Unfortunately, some programmes have only been a last-minute ‘box-ticking’ exercise that doesn’t go any further than exactly what the regulations prescribe. In fact, in the first six weeks following the imposition of the GDPR, data breach complaints actually rose by 160%. This symbolises a flaw in several key compliance mandates.

Compliance first approach not enough

The assumption has been that these regulations have been introduced in part to protect enterprises, but the reality is that they’re designed to protect the sensitive data of individuals. Ultimately, there’s no carrot for non-compliance, only a stick. Simply adopting a compliance first approach will not be enough to develop an holistic cyber security strategy. Greater planning and internal strategy are needed to work alongside current methods in order to develop the ultimate cyber security strategy.

This is where a risk-based approach to cyber security comes into play. Essentially, this involves performing an holistic assessment of possible threats and assessing where these threats line up with current security vulnerabilities. Where each threat intersects with a vulnerability, a risk is assigned a score which also considers the impact on the enterprise if the risk materialises in an incident.

Once a score is assigned, risks can be viewed along a spectrum between low risk (which signifies that the possibility of an incident occurring is low and the potential effects to an enterprise are minimal) and high risk (which suggests that the risk will have a high adverse impact and has a high likelihood of occurring).

Developing these risk scores should involve broad stakeholder consultation to truly understand the effects of a potential incident and what the current capabilities are for mitigating them in the wake of an incident. Some risks have less to do with technology than they do processes, so technology leaders need to consult with LOB managers and functional departments to understand their needs and gain buy-in for prevention efforts.

Technology element of risk

The technology element of risk in relation to data also needs to be understood by every senior leader within the enterprise.

Technology decisions made within a risk-based approach could adversely affect an organisation’s operations and competitive ability, so leaders need good quality analysis from security teams to support their decisions to implement security controls.

Ultimately, we cannot pretend that any enterprise has the ability to protect against every threat imaginable. The assessment of the best security controls and technology will be different for every organisation. It requires a good measure of strategic planning to be carried out effectively.

Morgan Jay is Area Vice-President (EMEA) at Imperva

You may also like