Master Security by Building on Compliance with A Risk-Centric Approach

By Meghan Maneval, Vice President of Product Strategy and Evangelism, RiskOptics

In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. Cloud adoption, digital processes, remote work, and third-party relationships have all grown dramatically to create an expanding and complex threat landscape that bad actors are eager to exploit. Not only are there an enormous number of risks in this digitized world, but they are also coming at us with incredible speed. Considering that it only takes an independent cybercriminal around 9.5 hours to obtain illicit access to a target’s network, every minute a company lacks visibility into vulnerabilities or fails to respond to threats gives hackers a chance to cause significant damage.

In light of the increasing threat, many organizations have focused on increasing their compliance with security certifications under the illusion that compliant means secure. This is not the case. According to Forrester, just 35% believe that compliance drives the right focus and behaviors within their business. That’s why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet compliance standards – helping organizations enhance cyber resilience today and tackle the challenges of tomorrow.

Compliance alone is insufficient to improve security

Complying with a framework is great. Compliance cannot be underscored. “Being compliant” means adhering to a specific framework or list of regulatory requirements and is how you protect your organization. But it does not mean you have done everything within reason to protect your organization, nor are you prioritizing your security investments to achieve specific business objectives. Therefore, compliance does not speak to how well you are protecting your organization.

Attackers are smart, stealthy, and ready to exploit any opportunity, whether through the front door with a phishing email or the back door via one of your third- or fourth-party vendors. In fact, 83% of organizations reported having experienced more than one data breach, according to the 2023 Cost of a Data Breach Report by IBM and the Ponemon Institute. To protect your organization, you need to go beyond compliance and actually assess your risk and put practices into place to prioritize remediation to propel your business forward.

For example, compliance audits are point-in-time assessments that appraise the controls you’ve already implemented. They don’t focus on how well you are protecting your organization today. This approach is no longer sufficient to reduce risk. What happens if an event occurs the day after an audit that increases your number of high-risk vulnerabilities? Remember that attackers don’t care if you’re compliant or not – only regulators and other stakeholders do. The attacker aims to make money accessing your high-value information, disrupting your business, and profiting from ransomware payments. Keeping your business priorities in the center of your risk assessment enables faster data-driven strategic decision making.

Understand the effectiveness of your compliance and risk activities

Understanding the need to shift from compliance to risk management is one thing but carrying it out is quite another. To understand the effectiveness of your security posture, ask: How well are we protecting our organization and assets?

When choosing risk management technology, it’s important that the platform supports a strategy of defining risk within a business context. Your organization’s risk management platform should provide information beyond the typical compliance status report. Look for reporting capabilities that provide the context necessary to understand the progress and effectiveness of your compliance programs and their impact on reducing risk. For example, each program should have a compliance posture indicating the number of effective controls compared to total controls. But it should also clearly show the impact of those controls on reducing your risk exposure. If it’s not, you’re missing the mark.

The platform must also be able to update this metric in real time as your team completes compliance activities to provide an up-to-the-minute snapshot of the program’s health. You should also expect live-view dashboards to include the status and impact of controls and risks, as well as the ability to export results into a CSV or formatted report. This level of detailed reporting gives your risk managers the visibility they need to prioritize activities that strengthen compliance and reduce risk and can help you better understand how risk remediation efforts are progressing. Similarly, a report that quantifies risk assessments by category and score can help identify the areas needing attention, so that you can focus your resources on the areas negatively impacting your risk posture.

How can organizations improve their cybersecurity?

The most security-conscious organizations understand that cybersecurity is an ever-evolving risk that must continuously be considered and monitored. When the organization is “in compliance,” it has met the minimum requirements under its obligations. But being able to say “we’re compliant” is not the same as understanding to what extent implemented controls have effectively reduced the underlying risks. You must also identify and categorize risks as they relate to individual business activities and the context around them.

By taking a broader, risk-based approach tying risk to business outcomes, instead of a more limiting compliance-based approach, organizations can improve their cybersecurity.

The four key areas enterprises look to improve are:

• ENABLEMENT: Supporting business goals by protecting the data and systems essential to the business.
• SECURITY: Protecting data privacy, demonstrating compliance, and managing risk effectively.
• EFFICIENCY: Eliminating the time wasted on manual tasks.
• TRUST: Proving to customers that they can entrust their sensitive data to the company.

Deliver better outcomes with a strategic approach to risk

Cybersecurity leaders can deliver better outcomes with less effort by transitioning from a compliance-centric approach to a risk-centric one. This evolution happens by shifting your perspective. Compliance and risk are essentially two sides of the same coin but with different focal points. Compliance is focused on adherence to a framework of statutory, regulatory, or contractual requirements, using implemented controls to satisfy those obligations. This adherence is binary — each requirement is either met or unmet. But risk is a continuum. Risk management requires evaluation of controls and their impact on the business’ ability to meet its goals.

Such an approach puts cyber risk in a business context so that CISOs and CIOs can tie risk to the business objectives prioritized by the C-suite and Board. To do so, they need visibility into the organization’s overall risk and compliance posture that breaks down the silos that cause inefficiencies, gaps, and blind spots. You need organizational and program-level reporting that gives you detailed insights and metrics. The tools and automation involved can substantially ease the burden of managing this information and related activities. Automation capable of facilitating a continuous, near real-time view of the organization’s risk profile is key to delivering better outcomes with less effort. In addition, a risk-centric risk management approach builds trust among customers and business partners, ultimately supporting your go-to-market initiatives.

About the Author

Meghan Maneval is the Vice President of Product Strategy and Evangelism at RiskOptics. She has over 15 years of experience in risk management, information security, and compliance, and is a passionate, visionary leader who drives new ways to solve industry problems. As the Vice President of Product Strategy and Evangelism at RiskOptics, she leads a team of talented and diverse professionals. She develops and executes strategy and objectives for the Go-To-Market function, innovates and designs new solutions for the risk management market, and evangelizes the benefits and value of cyber risk management. Meghan can be reached online at her LinkedIn here and at our company website https://reciprocity.com/.