preloader
Sign Up
Menu
Resources

Stop Wasting Time on Compliance – Start Managing Risk in Line with Your Business Objectives

Posted by
On 14 April 2025
0 comments
Insights from a RANT Roundtable in partnership with Diligent

Here’s a question: are you putting so much effort into your compliance position and spending on products, processes and initiatives to ensure that you meet the auditor’s approval, but disregarding the rest of your business’ risks as a result?

Are you taking the focus away from risk management, and putting more emphasis on box ticking?

This was the subject of a recent RANT roundtable, where the discussion on this subject discussion raised many key points around this area, but perhaps most notably was how compliance can be seen as ‘box ticking’, or even “pushing a rock up the hill.”

On the counter to those points though, the discussion focused on the concept of if compliance is about box ticking, being compliant can add value. For example, one participant claimed that it can be “something in your armoury” while another participant claimed that having the badge of compliance, when the auditors come in, “is absolute gold.”

Obsession with Certification?

One of the key certification models that regularly appeared in the discussion was ISO 27001. Scott Bridgen, general manager for risk and audit at Diligent, claimed that there was an obsession about maintaining certifications and whilst he admitted that “there is nothing wrong with ISO 27001, there is an obsession with getting the exercise completed and getting to the audit stage.”

Bridgen said there is a better focus when taking a risk based approach, “where 90 percent of your compliance” is covered by that approach by proxy.

Other participants referred to ISO 27001 as part of the “holy trinity” of compliance frameworks to follow by default, the others being PCI DSS and Cyber Essentials: saying these are “good to address your risks and align to the risks of business.”

Also, there was criticism for ISO 27001 as apparently if you tell an auditor that you know about it, and if you spend enough money, time and resources on it, you can pass an audit and be deemed to be compliant.

Ultimately another participant claimed that you can “focus on risk or compliance, but you need compliance to do business.” In other words, no compliance and you won’t be deemed tall enough to ride.

Relevance to Business

There is an element of those compliance frameworks that you should adhere to, mainly GDPR, but there are others that will be more relevant to businesses depending on what they do and where they operate.

More than ten years since Cyber Essentials was introduced, it may be that this standard is more relevant than most suspect. One reference was made to whether the majority of breaches would not have happened if the entity was compliant with Cyber Essentials – most likely a nod to the research from last October which found 82% of Cyber Essentials users were “confident that the technical controls provide protection against common cyber-threats, while a similar proportion (80%) believe they are helping to mitigate cybersecurity risks within their organisation.”

Comments from the roundtable said that Cyber Essentials looks at a ‘point in time’ state of compliance, claiming that you only need to demonstrate that you’re patching regularly to achieve compliance.

Also as Cyber Essentials is a self certification standard, one comment was that type of audit involving questionnaires are “not worth it”, as the people doing them “have no clue on the business or service” and often use that audit to give them an idea on their state of security.

Spending on Risk

The counter to this debate is spending on risk, and one comment claimed that “risk is bread and butter” of the day to day business, while others said that it really comes down to “what you deem to be important and keep it simple and clear cut.” Now whether you determine risk to be at the centre of your business is really dependent on the approach you take, but one comment was that it is “up to the organisation to determine” their posture.

Whether it be risk or compliance, an interesting point was posed: “would you feel like you’re doing the right stuff even if these frameworks didn’t exist?” In other words, if you were not trying to comply with ISO 27001 or Cyber Essentials, would you be doing anything differently from how you currently operate?

The comments said that they would “rather be secure than not” and “some people have a job as they need to be certified.” Essentially compliance and risk make the job, and put the guardrails in place to ensure the job is done correctly?

One comment was that the frameworks are the guardrails to ensure that you stay on track, and if you’re aiming for compliance, then you do the minimum in terms of controls.

Brigden said the issue is that compliance is necessary “and you have to do it” in many cases, as they provide those aforementioned guardrails. He said that a risk based approach can help make the journey to compliance easier, and it was clear that the administrative burden of compliance can be an annoyance, but also others see its value.

Ultimately, two comments really stood out as summarising the debate. Firstly that “all risk is business risk” and that you have to align it with your profit and loss, and to “push cyber risk alongside other risks” and make it stand out against every other risk that the business faces.

Every business is different and it seems to be the case that if you follow the guardrails of a compliance framework, and ensure you know your risk posture, then you do not negate one over the other, there is no need to overspend unnecessarily and achieve the same results.

Newer AI in Cybersecurity: Powerful Ally or Unruly Guest?
Back to list
Older Best In Breed? How A Global Pentest Army Can Help You Beat The Bug Bounty Blues