As new mandates come online, most firms need to ensure IT systems meet changing regulations. But is compliance stealing resources from cybersecurity efforts?
Four out of five firms are more worried about compliance than they were five years ago, according to recent research from Hornetsecurity. In more than half (57%) of organisations, the IT department bears the load of compliance assurance, the study reveals.
And, in the majority of cases, compliance overload has a significant impact on the IT function's ability to do its job, As a result, 13% of firms are unable to state whether they are fully compliant.
"Compliance is a heavy burden for many organisations because it requires a high level of operational maturity to handle effectively," says Daniel Hofmann, CEO of Hornetsecurity.
"There are processes, organisational ard technical components. A given organisation may be beholden to multiple regulatory frameworks and governing bodies – each with its own ever-changing rules and requirements. On top of that, amidst the chaos of getting these controls into place, many organisations struggle to keep up with changing regulations."
In many cases, this is complicated by the fact that different people within the organisation are responsible to various regulators.
"GDPR, for example, falls under the data protection officer's remit, PCI or the Digital Operational Resilience Act (DORA) regulation might fall on business application owners, while NIS2 may come under an organisation's CIO or CISO remit," says Romain Deslorieux, director strategic partnerships for cloud protection at Thales.
This stretches resources, so the trick is to find some commonality. There are similar actions demanded by most regulations, says Deslorieux, such as "assessment, records of workloads and processing, protection of data, – and improving the amount of internal communication that's taking place."
He adds: “Many regulations have four main objectives in common: define the scope of responsibilities regulated; mandate to run a risk assessment in relation to that scope; list technical and organisational measures required to mitigate the risks; and list obligations towards supervisory authorities, such as reporting and penalties."
Major distraction
However, at a time when many organisations are also struggling to ensure adequate cybersecurity, often with overworked staff, aren't compliance efforts likely to have an impact?
"The burden of compliance can be distracting," says Erfan Shadabi, cybersecurity expert at comforte AG. "Instead of proactively fortifying their defenses and staying ahead of cyberthreats, organisations may find themselves allocating significant time and resources to meet regulatory obligations."
Compliance and security are not the same thing.
"While being compliant with certain regulatory frameworks does tend to improve a business's security posture through documentation and good security practices, being compliant is by no means a guarantee of security," says Hofmann. "There is also an argument to be made that IT departments that are focusing heavily on complex compliance requirements may mistakenly miss security basics."
Seek common ground
Once again, the answer may be to look for overlap between the two areas.
"Many compliance frameworks specify similar things to IT security best practices that organisations are likely already striving for," says Deslorieux. "For example, if an organisation already has reached certifications such as ISO27001 or ISO27701 IT security procedures, this will go a long way towards reaching compliance with other regulations.
“Security is never an absolute statement and the most effective teams and organisations work on that basis. But if you are fully compliant with regulation such as GDPR, DORA, NIS2, alongside following certification standards such as ISO27001 and ISO27701, you are more likely to be more secure than if you had no plan."
However, be mindful of assuming that security and compliance have the same goals or methods.
"On occasion, you will run into a requirement that is no longer best practice or industry standard, but if you don't implement it, you will technically be 'out of compliance'," explains Lecio de Paula, VP of data protection at KnowBe4. "Compliance can be beneficial to security if you approach it with the right mindset, but we see often that organisations will implement half-baked controls to meet the bare minimum requirements.
“This can often lead to worse security as now you have a patchwork of controls you are barely maintaining and haven't actually focused on solving the problem of securing your organisation's assets and data."
TEXT BY: STEVE MANSFIELD-DEVINE