I am genuinely interested in how can compliance efforts translate into effective cyber security programs that actually result in improved postures. Most cyber security professionals consider standards and regulations only as a starting point for base-level security. Obviously, different standards have different guidelines, and it usually comes with a particular interpretation as well. Still, most cyber security folks will tell you that, no matter the standard or regulation, being compliant is not necessarily the same as being secure.
As a reminder, standards in cyber security usually define the requirements of an Information Security Management System (ISMS), which is a whole framework on how to manage cyber risk, including processes, technologies, and people. These (the standards) can be the end goal of compliance or can help achieve the requirements of a specific regulation, such as GDPR for instance.
I believe one of the main issues that’s getting in the way of converting compliance into actual security is the interpretation of guidelines and benchmarks. The interpretation of high-level requirements can be hard, especially when trying to map them into relevant technical data, or implementation or deployment measures that can fully cover these requirements. Cyber security is unpredictable enough that a prescriptive regulation cannot possibly cover all situations an organization might have to face and can become outdated very quickly. A descriptive approach, on the other hand, is rather generic, with high-level requirements and principles that are wide-open to interpretation depending on the context, resources, the current landscape, etc. Contrasting, or even conflicting, interpretations are very likely and end up being a risk for both the enforcement and the implementation sides.
So the question is actually on how to regulate the cyber security space; you cannot be too specific for such a fast-evolving landscape, and if you’re too generic, a given interpretation is likely insufficient and you’d want to fill the gaps with a risk-based approach to action. All of this is obviously from a security professional perspective since the above interpretation might have already been enough to meet the legal or even the industry expectations.
The potentially conflicting interests of different stakeholders in an organization also do not serve the convergence of compliance into actual security. Unless a good balance is found between regulatory and security goals, the current gap will always create opportunities, and even incentivize, certain stakeholders to take shortcuts or circumvent the system.
The solution to this is in taking a holistic approach that takes into consideration the concerns of everyone involved; the guys with legal concerns, people with cyber security concerns, and those having resources and budget challenges. This means that in addition to working on the requirements and regulatory approaches (neither too specific nor too general), we need to incentivize for long-term innovation and security (not sure how! Grants? Tax cuts? Something else…), encourage threat intel and information sharing within regulations, harmonize and simplify across jurisdictions, etc. Only then a more effective and security-focused implementation of compliance would be possible.
