Stop Wasting Time on Compliance, Start Managing Your Risk
In Partnership With
As we attended the latest RANT roundtable, the cybersecurity news is dominated by the cyber incidents and attacks hitting major UK retailers.
Whilst the discussion is on the subject of ‘Stop Wasting Time on Compliance, Start Managing Your Risk’, it’s clear that the concept of risk is apparent to how you would have survived an incident like this, or more appropriately, what is your risk level in reflection of these experiences?
Different Approach
Kicking off the discussion, James Dorrington from Diligent asked how the situation could have been approached differently, and recovered quicker if the affected retailers had approached risk management in a different way?
One participant claimed that risk management has become too much of a tickbox exercise, which we need to move away from, as too many businesses believe they are secure if they conform and comply with the likes of PCI DSS, ISO 27001, and also Cyber Essentials. Also boards of directors will see that level of investment in compliance as enough, and in the case of the impacted retailers, a participant said that the issue is the business leaders accepting the risk due to cost.
So if money has been spent on cyber defences and training and compliance-ready solutions, are the leaders feeling enough has been done because money has been spent?
Some others agreed that too many auditors will stamp an approval if enough money is paid, and the certificate often “is not worth the paper it is printed on.”
Assess and Accept Risk
In the case of ISO 27001, it was described as both an ‘art’ and one where you need to get your scope suitable, and also an example of approaching security “in an organised way! As a risk based standard, the organisation needs to be very subjective on how they assess their own risk, and how they justify their own controls, and not be reflective of their risk posture of a client.
In the world of compliance, a participant said they had a requirement to be compliant with HITRUST, and this set out a level of expectation “as spent time jumping through hoops and counterproductive controls.”
Another discussion was on the concept of tools and solutions apparently offering compliance. One participant said that the business bought a product which could demonstrate compliance, but it didn’t provide security that was needed in order to protect the business. “We need to demonstrate to our customers how we are truly secure.”
This led the conversation on to the subject of customer trust, specifically once you have built your risk profile and are able to make a decision without going through questions, and are you reviewing what the customer wants.
A recent open letter from the CISO of JP Morgan was cited, as it “demonstrates what the customer expects” as you want board members to take an interest, as being secure brings in money.
Participants said that if you “don’t review what customers really want, then you’re just chasing the pound” and another said that “if you don’t have user trust, then don’t have users using the platform.”
Retailer Breaches
So what about those retailer breaches? James Dorrington asked how a business could avoid being the next in the headlines, responses said that a plan is needed. “If you have ISO 27001 and cannot recover, you’re on a losing streak.”
Another relatively new compliance standard is DORA, which came into force in January 2023 and applied from 17th January. The participant claims that DORA recommends red teaming as a requirement, as that exercise is designed to strengthen the resilience of European financial institutions to cyber-attacks.
The participant said that there is a demand from customers to be compliant, and ensure secure supply chains: but if there are around 8000 customers and each needs to do a red team exercise on you as a supplier, that can be scary! “Say to the board we need to do it now and demonstrate to us that we will not fail.”
They recommended focusing on social engineering first, and being able to have “basic things protected by security tools” as well as detect what will compromise your systems.
As social engineering has been a factor in the retailer attacks, participants agreed that acknowledging and being able to deal with it is part of risk acceptance, and also understand that a level of compliance with ISO 27001 will not stop something like that from happening.
Board Acceptance
What about the board’s understanding of these challenges? One participant said you will not always get the C-suite to understand cybersecurity issues as many of them are ‘financial people’, and they talk in financial terms, so if you speak their language – which in financial services is risk – then you realise business operations are nothing to do with a compliance framework, it is because it is the right thing to do.
“When regulators come around, we’re 90 percent compliant as it is the right thing to do, and of course doing it as we – as a business – want to survive and make money.”
Another participant said that displaying compliance is “about business practice”, while another said that for a CISO to become relevant, they have to consider how they enable the business, as the “risk conversation has changed and you need to be very careful on that and how you empower the business.”
Understand Posture
In conclusion, the roundtable chair said there is an understanding that compliance is a badge for enablement, and risk is about talking to the business, and understanding your risk and compliance posture, and managing it.
Thomas Ryan from Diligent recommended trying to educate your customers on a risk based approach, which should make demonstrating your compliance and your risk level less difficult. James Dorrington said that coming from a risk practitioner background, it was a shame to still some things being done that he was seeing ten years ago, so collectively we need to know how to move on and be more practical in the outcomes we are trying to achieve.
Interested in learning more about the risk-based approach to cybersecurity discussed by Diligent’s experts? Find out more here.