Does cyber security compliance equal good cyber security?

There is a notable increase in adoption of industry recognised frameworks, standards and best practices, as many organisations have embraced cyber security compliance as a structured approach to managing their cyber security programmes and strategies. Some of these include, but are not limited to:

• ISO/IEC 27001 – An international standard that describes best practice for an ISMS (Information Security Management System);
• ISO/IEC 27002 – A supplementary standard to ISO/IEC 27001 that provides advice on how to implement the security controls listed in Annex A of ISO/IEC 27001;
• National Institute of Standards & Technology Cybersecurity Framework (NIST CSF) – Provides a high level taxonomy of cyber security outcomes and a methodology to assess and manage those outcomes;
• Control Objectives for Information and Related Technology (COBIT) – A high level framework focused on identifying and mitigating risk. Initially developed for IT governance professionals to reduce technical risk, but it’s evolved into a standard to align IT with business goals;
• Center for Information Security (CIS) – Formed in October 2000. Its mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defence and build and lead communities to enable an environment of trust in cyber space"; and
• Information Security Forum (ISF) – Is an independent information security body. The ISF delivers a range of content, activities and tools and is a paid membership organisation; and
• Among these are also industry-specific standards such as the Payment Card Industry Data Security Standard (PCI-DSS) for credit card handling.

However, it is important to note that cyber security extends beyond alignment to a (or many) cyber security frameworks, standards and best practices. Even the most mature environments with managed or even optimised compliance implementations fall victim to cyber attacks.

According to an analysis conducted by CyberSec, 83% of organisations analysed, with mature cyber security compliance, were still considered to have significant room for improvement following an ethical hacking (penetration testing) exercise.

This is predominantly because compliance addresses a broad-spectrum approach to addressing key controls within an organisation's control environment. In other words, it should not be ignored, disregarded or set aside, but rather embraced and supported with additional specific cyber security measures and controls.

Equally, from the opposing viewpoint, an organisation with leading security technology supported by qualified subject-matter experts, may also find themselves short-changed with regards to their cyber security maturity.

This is usually owing to the core, fundamental controls (usually addressed from a compliance standpoint) being absent or poorly implemented – as a result, exposing the organisation to unnecessary risk, despite the significant investment in people and technology.

It is therefore critical that businesses embrace cyber security compliance, but also ensure it is supported by additional controls, assessments and technologies that are fit-for-purpose. Do not solely rely on compliance alone for cyber security risk assurance. Ensure that your approach to cyber security encompasses all areas of the business, collectively bringing together a synchronised and robust cyber security programme that touches on people, process and technology.