What are You Looking for?

December 15, 2023

Security and Compliance Aren’t the Same—But They Both Have the Same Objective

We all know that security is not compliance, and compliance is not security. But they do both have the same ultimate objective: effective risk management.

Security has always been about protecting assets commensurate with their sensitivity, criticality, and/or the impact of their compromise. In other words, about effectively managing risk.

Compliance assesses the degree to which the reality on the ground aligns with requirements. But to what end? The requirements (against which compliance is being assessed) are distilled from controls which were put in place to manage risk.

Some might say, “in our industry, compliance is more about adhering to regulatory requirements”, but that is incorrect. The regulators themselves will tell you that the regulatory controls are designed to address risk: security risk, operational risk, financial risk, privacy risk, etc.

An aside: this is why it is so egregious when internal compliance & audit functions become glorified box-tickers (as many do, in large organisations). It is a betrayal of their actual function, which is to make sure that 1st and 2nd line teams 1.) Understand what the risks are, and 2.) Can demonstrate how they are managing those risks. When compliance just becomes about box-ticking against technical controls and configurations, rather than a more sophisticated, mature, nuanced risk conversation, it dumbs the entire organisation down to that low bar.

This is why I was dumbstruck recently when someone told me that “their CIO and CISO didn’t care about having a nuanced risk management conversation—they wanted to see a compliance dashboard with all green tiles”. To which I thought (but didn’t say), “then your CIO and CISO do not understand their jobs.” The end of security and compliance is effective risk management. Business enablement too, of course—but any progress you enable without effective risk management cannot be sustained.

Related posts:

  1. G before RC
  2. “Materiality” Relies on Risk Quantification—Which Is Why Many Businesses Struggle to Understand It
  3. Connect/Okta and Identity Sync Hardening
  4. How (not) to Waste Your Time Chasing Vulnerabilities
  5. What England’s Underwhelming Team of Football All-Stars Can Teach Us About Cybersecurity

There’s another layer still: risk management is not an end in itself. As I recently said at the Recorded Future conference: The purpose of risk management is not to manage risk. The purpose of risk management is to enable and sustain business outcomes.

Years from now we will look back and marvel at how hard we worked to deliver cyber widgets without any idea the degree to which they impact material business risk, and/or help to enable tangible business outcomes. These are the only North Stars that matter.

Leave a Reply

Your email address will not be published. Required fields are marked *