Beyond Cybersecurity Compliance: Adhering to Regulation is Not Enough

Achieving cybersecurity compliance is a top priority for security leaders. Organizations protect themselves from liability by demonstrating that they adhere to industry regulations, including federally mandated regulations like HIPAA as well as voluntary frameworks like NIST CSF.

However, cybercriminals do not limit their attacks to the types of vulnerabilities these regulations address. In fact, they spend considerable time and energy developing innovative ways to bypass these defenses, exploit compliance fatigue, and compromise vulnerable systems.

There is ample evidence for this fact. Highly compliant financial institutions, healthcare providers, and government agencies continue to fall victim to cyberattacks. If regulations offered sufficient security, there would be far fewer headline-making attacks on major institutions.

At the same time, less than 50% of large US companies are investing in cybersecurity even though 83% claim it is a major priority. This suggests that security leaders have become less motivated to proactively improve their security posture once they achieve compliance.

Cybersecurity compliance policies are standardized by design. This is necessary to make audits possible, and to establish meaningful fines and penalties for non-compliance. Creating personalized security policies on a case-by-case basis is not feasible on a large scale.

However, the opposite is true of cybercriminal tactics, techniques, and procedures. Ransomware gangs and individual hackers use a combination of automated software and highly customized attack vectors to target their victims. Security regulations simply give them a point of reference for constructing sophisticated attacks.

Security-conscious organizations need to be proactive about how their security posture responds to their environment’s real-world security risk profile. That means making cybersecurity compliance one part of a multi-layered security strategy.

In 2021, three government agencies (the FTC, OCC, and FRB) developed a set of cybersecurity standards for the financial industry. These policies established workflows for security leaders to follow when creating formal cybersecurity policies, deploying internal systems, and reporting data breaches.

In December 2022, these agencies added new rules to the framework. The new regulations require organizations to encrypt customer data in transit and at rest, implement multi-factor authentication, and log user activity to detect unauthorized activity.

These are all robust security practices that financial institutions should implement. However, the official requirements leave out important pieces of information that security leaders need:

• How should organizations encrypt customer information in transit and at rest? Should there be a separate encryption process for data in transit and data at rest?
• Which types of authentication factors are suitable for implementing multi-factor authentication? What about users who need additional verification safeguards?
• How should organizations log user activity? Where do the logs go? Who should monitor those logs for evidence of unauthorized activity, and how?

Policymakers can’t answer these questions on an industry-wide basis. The optimal answer for your organization will be unique to your business structure and security risk profile. Achieving cybersecurity compliance doesn’t guarantee an optimal security posture. It may not even guarantee a particularly effective one.

MITRE ATT&CK has documented nearly 200 individual enterprise threat techniques and 400 additional sub-techniques. Attackers aren’t limited to just one of these techniques – they can mix and match them into practically unlimited combinations.

Most sophisticated attacks combine multiple techniques. Zero-day exploits may include entirely new techniques that have never been seen before.

An industry-standard cybersecurity compliance framework can’t protect against all of these combinations. In fact, that’s not even what regulations are designed for. Security leaders can’t expect those tools to do a job they were not made for.

Protecting against a potentially unlimited number of attack techniques requires establishing security policies that reflect the real-world needs of the organization in question. Only a highly customized security posture can distribute limited resources effectively across a wide attack surface.

But in order to strengthen the weak links in your organization’s security chain, you must first identify them. Industry-standard compliance checklists can’t do that for you.

Instead, you must deploy resources into identifying where your organization’s security policies need improvement. You must identify its weak points and deploy solutions that address the most severe threats.

Security audits and intelligence data are a critical part of this process. Robust security policies and prevention-based technologies are another. Organizations have to look beyond cybersecurity compliance before they can start building a system that joins these tools and technologies together successfully.

The limitations of the compliance-based approach to security are clear. The risk-based approach is an alternative that empowers organizations to establish meaningful security policies that go beyond compliance.

The risk-based approach isn’t a replacement for compliance. In fact, the Risk Management Framework is clearly laid out in NIST SP 800-37, so it is also a regulatory framework. However, it provides organizations with valuable insight into how to weigh security investments against potential risks.

This approach defines risk as:

1. The likelihood a security incident occurs, and
2. The potential business impact if it does.

This approach requires significant time and energy. Security teams must continuously monitor their performance while staying ahead of threats and proactively optimizing costs. However, the stronger the organization’s prevention-based security policies are, the more streamlined their detection and risk management workflows can be.

Key prevention-based technologies like multi-factor authentication and anti data exfiltration protection are a core part of this process. Security leaders who undertake risk management assessments can develop policies that better suit the individual needs of their organization.

Combining risk management with cybersecurity compliance gives organizations a starting point for developing a customized security framework that capitalizes on their strengths while addressing their weaknesses. Cybersecurity compliance is no longer the ultimate objective – it is the starting point for consistent and reliable security performance.

BlackFog provides anti data exfiltration services to organizations that understand the value of data and prevention-based security policies. Keeping data from leaving your network reduces overall risk, optimizing cybersecurity compliance and audit outcomes across the board.