The motivation behind protecting personally identifiable information (PII) is often one of complying with legal and regulatory requirements as opposed to a security concern. For many organizations, navigating between the two can seem like being forced to choose between the lesser of two evils, but there is a way that you can have both without sacrificing the requirements of either one.

Maybe your industry or business is young and you don’t yet see where cybersecurity fits in the ecosystem; maybe you’re too small an organization to have set aside budget dollars for cyber solutions; maybe you’re in a compliance-driven organization that prioritizes compliance requirements over security investments.

Are you compromising on your cybersecurity?

These are situations we see every day. It’s not at all uncommon for executives to find themselves without the time to understand security or for organizations to lack the staff required to focus on it. Security functionality often gets bumped, especially in development, in favor of the features and capabilities customers ask for, particularly in high-growth sectors like technology and in compliance-driven industries like financial services and healthcare.

And they’re not alone. 

61% of corporate board members admit they would compromise on cybersecurity in order to achieve a business objective. ¹

The downside is of course that only 16 percent of executive leaders say their companies are well prepared to deal with cyber risk. A recent McKinsey report notes that growth in most industries depends on new technology, such as artificial intelligence, advanced analytics, and the Internet of Things (IoT), which may expose companies to new types of cyber risk from new or evolving threat vectors. ²

Is compliance your security strategy?

To bridge the gap, you may decide to beef up on compliance. However, companies invest in compliance activities to follow various laws and regulations–not necessarily to improve their security posture. 

Regulations such as SOC2, GDPR, CCPA, PCI, HIPAA, Sarbanes-Oxley, and more force organizations to meet multiple–even competing–compliance challenges that each require constant monitoring, frequent audits, and professional staff and technologies, which drives up the cost to stay in compliance.³ As a result, many companies tend to decouple compliance requirements from their security strategy, putting these two critical safeguards in competition with each other and nearly always sacrificing a strong security posture in favor of fulfilling compliance needs.  Compliance becomes the entire security strategy. 

Putting compliance ahead of security probably makes some intuitive sense for many executives–after all, laws including California’s CCPA, New York’s SHIELD Act, and Ohio’s Data Protection Act are just three of the more than 150 consumer data privacy bills introduced in U.S. state legislatures last year–and there’s a federal consumer data privacy act in the works too.

Additionally, the consequences of non-compliance can be costly. Business disruption represents the most expensive consequence of compliance failure, followed by fines, penalties, and other settlement costs: ⁴

• Infringements under GDPR carry a maximum fine of €20 million (about $27 million) or 4% of annual revenue, whichever is greater
• Fines related to intentional CCPA violations can cost as much as $7,500 per affected customer; the fine for negligent incidents can cost up to $2,500 each
• Meeting or maintaining compliance by industry sector costs organizations between $7.7 million (in sectors like media) and $30.9 million (in financial services) 
• Smaller organizations have higher per capita costs of compliance: Costs are highest for organizations with fewer than 1,000 employees and lowest for organizations with 75,000 or more employees

As compelling as the data seem, compliance divorced from security is just a stop-gap measure, even if it fosters trust with customers. Trust is one of the biggest reasons compliance-centric programs are popular. Trust brings confidence. Trust brings revenue. 

But when companies get into the habit of continually compiling new cybersecurity checklists, they create an undue focus on formal compliance rather than on cyber resilience. Even when all boxes on the checklist are ticked, the company may be no less vulnerable to attacks than before. ⁵

By separating compliance from a security strategy, we create exactly this type of “check-box” mentality and foster an environment of more or less following the letter of various requirements while missing their spirit entirely: Thousands of companies become compliant but still get breached.

In the meantime, security itself becomes an afterthought, an add-on to business goals, rather than a critical, integral part of them, making it impossible for security to act as a catalyst for sales and revenue growth.

The add-on approach may even become a drag on business velocity by increasing user friction or delaying time to market for new product features. When secure systems are not usable, there is a risk that users may try to avoid them or disable the security features entirely. As one CISO put it, “If you build an overly burdensome solution, users will do their best to circumvent it.”

People may also use security features incorrectly or make errors that compromise security, despite that nearly 75 percent of respondents to a recent Dark Reading poll say their organizations would be safer if security measures were easier for end users. ⁶

Done right, compliance simply becomes the byproduct of a sound security strategy. 

Recent research shows that the higher an organization’s Security Effectiveness Score (or SES, a measure of its ability to meet reasonable security objectives), the more effective the organization is in protecting sensitive information, assets, and critical infrastructure. The higher your SES score, the lower your compliance costs. ⁷

---