Cyber compliance is a serious headache for businesses in every industry. Regulations are mushrooming, and the penalties for non-compliance can be hefty and consequential. It’s not surprising that organizations are placing compliance at the head of their priorities.
Compliance has its limits, however. Over-reliance on the requirements of various frameworks can be burdensome, but it can also damage an organization’s opportunities for growth and ability to prevent data breaches. It can result in a false sense of security and blind spots that permit genuine threats to go unnoticed, even when they are a clear and present danger.
When companies hyper-focus on compliance for the sake of compliance, they end up with tunnel vision that can stifle creativity, innovation and adaptability. There’s also a risk of overkill with overlapping requirements that absorb resources unnecessarily and drive up costs.
Today, more companies are pivoting from compliance-first to risk-first mindsets. From my perspective, the organizations that are the most effective at meeting cybersecurity challenges are those that have incorporated a risk-first approach.
What Is a Risk-First Mentality?
A risk-first mentality prioritizes identifying and handling a company’s biggest compliance risks through standardized policies and procedures. It allows an organization to focus their resources on their highest compliance risks.
What’s So Risky About a Compliance-First Approach?
For many years, compliance-first ruled supreme. After all, customers are increasingly interested in working with companies that take data privacy, breach prevention, social responsibility and ethical behavior seriously. Compliance with frameworks like SOC 2 can help demonstrate alignment with these values.
But too often, compliance is viewed in isolation as boxes that need to be ticked at the end of a process. Additionally, some businesses prioritize it over all other considerations in decision-making and operational management, which can squash innovation and broader visions under bureaucratic red tape. In fact, over the last two years, we’ve seen reports of landmark breaches at companies like LastPass, Dropbox and Uber, even though all three are certified for ISO/IEC 27001.
The SolarWinds affair only further emphasized the perils of being compliance-first. The SEC charged the SolarWinds Corporation with fraud, accusing the company of making misleading claims about its cyber risk practices.
“This case underscores the critical need for chief information security officers to … implement clearly defined cyber risk management programs,” note Brian Allen and Brandon Bapst of CSO Online. “This absence of a standalone and clearly defined cyber risk program exposes executives, board members, and now CISOs to emerging obligations.”
A compliance-first mindset can result in fragmented risk assessment and mitigation that leaves gaps in security provisions, in contrast to the standalone risk program that Allen and Bapst recommend.
“CISOs tend to build their cybersecurity program in buckets, according to the type of threat. For example, they might have tools and processes to handle email attacks, and separately, they will make sure they have tools to ensure remote access is safe,” asserts Arik Solomon, CEO at Cypago.
“Under this model, GRC compliance is often considered a separate need,” he adds. “Increasingly, more CISOs understand that cyber GRC is essentially a roadmap by which they should analyze potential risks, design governing processes, and apply security controls.”
Why You Should Switch to a Risk-First Mindset
As Solomon points out, more and more companies are adopting a holistic, risk-first mentality. This allows them to incorporate cyber compliance as an integral component of a broader risk management strategy that builds resilience, rather than as boxes on a to-do list. The shift is reflected in the percentage of organizations including information in their SEC disclosures about cyber management and oversight, which rose from 55 percent in 2018 to 87 percent in 2023.
Risk-first approaches place the focus on identifying, treating and managing the most significant compliance risks rather than starting with a list of regulations. This improves resource allocation, directing it to the greatest needs. It also bolsters responses to unexpected disruption and helps foster innovation and creativity. Focusing on the biggest risks also helps save money and time, and reduces the dangers of damaging, headline-grabbing incidents.
This shift is crucial for all aspects of compliance, but particularly for cybersecurity. Cyber threats are rising in both frequency and sophistication, thanks to the greater amount of sensitive data available online. Regulators are still playing catch-up with the true risks, so cyber teams can’t rely on them alone for protection.
“The goal here is to continuously improve your overall security posture rather than simply trying to stay compliant for the next round of yearly audits,” says Jasmin Landry, an InfoSec leader at Nasdaq. “I can assure you that if you get breached, a lot of customers will switch to a different vendor because they’d lost all trust they had in you. That is even if your security page on your website has a bunch of green checkmarks next to those compliance frameworks and standards.”
How You Can Implement a Risk-First Approach
Companies that are successfully moving to a risk-first approach are taking certain clear steps. Most importantly, CISOs are establishing and regularly revising guidelines to risk management which specify the main risks facing the company and the priority level for each one. Ideally, they make them accessible to the entire workforce, so that everyone knows their responsibilities to mitigate threats.
Alongside these protocols comes regular and comprehensive training that’s tailored to the role of each employee, with certification frameworks requiring them to demonstrate mastery and understanding of the information.
Organizations also need to foster an environment of open communication that encourages employees to ask questions and raise issues without blame or shame. This ensures that companies spot concerns early and take them seriously. Last but not least, leaders should set an example by sharing success stories and advocating from the top.
Effective Compliance Lies in Holistic Risk Management
The dangers of over-relying on compliance are becoming clearer with every cautionary tale of data breaches and hacking attacks. As companies internalize the shortcomings of a compliance-first mindset, they are embracing a risk-first mentality that enables them to protect their systems, data and professional integrity.