Compliance doesn’t necessarily equate to security, and security doesn’t necessarily mean compliance. To many organizations, compliance can seem more like a headache or a “check the boxes” exercise that doesn’t really serve a purpose beyond that, but this can be a shortsighted approach.
This mindset can also cost you. A 2024 study by CYPHER Learning found that companies lose $1.6 million annually, on average, due to non-compliant employee behavior. Within just the financial sector, global regulatory fines in 2024 soared to over $19 billion, a new record.
IBM’s Cost of a Data Breach Report 2023 found that, on average, breaches cost almost $241,000 more when noncompliance with regulations was involved. Breaches cost organizations with a high level of noncompliance an average of $5.05 million – $560,000 more than the average cost of a data breach.
Organizations need to look at the relationship between regulatory compliance and cybersecurity and consider ways that CISOs and other leaders can try to ease the burden of maintaining continuous compliance while strengthening security and managing costs.
Why do regulations exist?
Guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, regulation like the Digital Operational Resilience Act (DORA) and standards such as the Payment Card Industry Data Security Standard (PCI DSS) come from the same general beginning as most guidance, standards, and regulation do. They exist to ensure a minimum level of protection and to get people or organizations to exhibit a certain behavior that they’re not likely to exhibit otherwise.
As cyberthreats and challenges to digital privacy have accelerated, regulations have become more stringent. The enforcement, actions and penalties are increasing in severity. Financial penalties exist for two main reasons. First, they act as a deterrent so that organizations will decide it’s less expensive to comply than to pay the penalty.
Second, they serve as a cautionary tale or punishment that other organizations can learn from.
Regulations and compliance frameworks are valuable for their ability to create a baseline for an organization’s security program; compliance requirements ultimately give an organization a foundation to build on. Should CISOs and other security leaders wish to build on that foundation to have a more sophisticated, risk-based cybersecurity program, all the better; fundamentally, security programs will depend on the elements that show up in your compliance frameworks anyway. If you want a robust and valid cybersecurity strategy, you must address the “basics” that show up in the standards.
Static – but shifting – requirements
Requirements like NIST, DORA, PCI can be slow to keep up with the rapid pace of change. They form an essential starting point, but they must not constitute your company’s entire strategy. Instead, the best approach is to move toward a real-time, data-driven understanding of what’s taking place in your own network environment.
In terms of future regulations, no forecast is guaranteed accurate, but it seems likely that more stringent and augmented data privacy requirements and regulations will continue to roll out. New requirements are likely to put more emphasis on supply chain security, AI and other emerging technologies, too.
The trade-off lies between business goals and the cost of compliance. Being compliant requires an additional cost in terms of time, effort and tools. Yet compliance can be a business enabler too, reinforcing an organization’s good reputation as a partner or provider. In addition, for companies to fully grasp their risk tolerance, they need clarity about the operations, the resources and the people who are doing the work. This level of internal knowledge can be the rallying cry that unites a company’s teams for the greater good.
Best practices for meeting compliance in a more meaningful way
These five best practices will help your organization meaningfully comply with the regulations specific to your industry:
1. Implement Continuous Controls Monitoring (CCM) to avoid compliance “drift” – Post-audit, it’s easy for responsible parties to get caught up in the needs of the business, take their eye off the ball and stop looking at the risk metrics daily. When that happens, teams can drift out of compliance. CCM can help you avoid drifting by providing automated and year-round insight into the performance and security state of your controls.
2. Make compliance a “team sport” by engaging as much of the organization as possible. This entails sharing with teams (human resources, finance, marketing and so on) and business units details about what their controls metrics are to create a sense of accountability, ownership and potentially competition (for instance, the east division sales team is beating the west division sales team at phishing tests.)
3. Simplify multiple compliance metrics into simple risk scores that acts as a “true north” for an organization’s compliance program, understandable by the board.
4. Create a single source of compliance data truth that is both transparent and reliable. Transparency relates to where the source data comes from, transformations applied to the data and so on.
5. Ensure a partnership between compliance and cybersecurity programs exists so that security controls are implemented with a compliance focus, which then produces evidence as a natural outcome. Creating a robust evidence trail should help ensure that each control is implemented correctly and maintained consistently to avoid compliance drift.
Moving beyond compliance
Compliance exists to uphold a minimum standard to prioritize company and customer data security. It may seem like drudgery, but its intention is noble – and non-compliance often becomes more costly than compliance. As fines and penalties increase, it’s a good time to ensure that best practices are in place to help your organization can avoid fines and build a security strategy that exceeds the bare minimum. A safer, cost-efficient and more compliant environment awaits.
Join our LinkedIn group Information Security Community!
