Nadav Shatz, managing director, Comsec Consulting UK
Nadav Shatz, managing director, Comsec Consulting UK

It's an interconnected world, but for the connectivity to work securely, there are a myriad of standards and regulations to which companies need to adhere. It's also a world with a bewildering array of IT security threats.

The normal response is to develop a company-wide compliance framework based on standards and regulations. While this approach means that standards and regulations are met, maintaining trust and keeping trade moving, this may not actually improve security.

Lessons from history

Cyber-security based on standards and regulations often only fixes yesterday's problems, responding to challenges that have already been faced and dealt with by other organisations. It's an approach that can make it difficult to respond quickly to the innovative threats that are emerging every today.

Standards and regulatory requirements provide a useful, industry-accepted framework, but it could be suggested that implementing them means that firms are only meeting the minimal security requirements. The people who want to breach security and get into a firm's networks and take advantage of the data they contain are constantly innovating, so a security framework needs to be flexible to develop and evolve alongside the risk and the organisation environment, rather than just keep up with the regulations.

If a firm focuses on putting products or tools in place that address today's risks, it could get sucked into an audit approach to standards and regulations which leaves it open to different attacks as the vectors change. In general it's not just about the technology and the product, but how you use and deploy them to confront the risks.

The view from the ground

Relying on standards and regulations for cyber-security can fail to take into account working practices, the wide range of industries and partners that a company works with, and the specific technology that has been implemented. Adopting an industry-wide regulation and implementing it to a specific working environment can mean that organisations don't get actual security value from the regulations and standards that they implement.

In a bring-your-own-device world, it's imperative that the people building the frameworks take a long look at how people are interacting with the IT infrastructure before introducing change, even when change is being mandated by regulators. The more that you try and enforce a framework that doesn't actually fit with how people work, the more likely they are to try and find work-arounds, which  increases the risk of security breaches.

Firms need to create a security environment which reflects diverse realities. Cyber-security experts need to work closely with the people on the ground so that any framework that's put in place adds benefit and increases security rather than hinders development.

Most people's reaction to being told that there's going to be a new security process, is either irritation or resignation. Too many times in the past security protocols have been put in place with the best of intentions, but in practice get in the way of people simply trying to get their work done.

The benefit of perspective

With so many different industries operating in a variety of environments, there is a good chance that issues that have developed and been solved in one industry may only just be rearing their heads in other industries.

As a result, it can be important to ensure that you consult widely when looking to amend a security framework. There is significant value in listening to the approaches taken, not just in related industries but ones which are very different from your own.

There is no doubt that having a regulated security and standardisation framework increases trust and reduces risk, and some insurance policies are reliant on having a registered level of compliance, even when it's not mandatory.

It can take a lot of effort to understand and develop compliance frameworks for regulations and standards. Companies should ensure that while they are achieving compliance they are also making the most of potential security benefits, focusing more on security and less on the governance side.  Assuming that security is guaranteed by or follows compliance can be a dangerous philosophy.

And here is a good example of the dangers of being compliant, while not paying due attention to cybersecurity.  An online payment services company achieved compliance with a leading security standard thorough a long and complex project of implementing security controls, solutions, documentation and policies. This took more than a year to complete and required a substantial amount of resources and energy.

Unfortunately, the company considered the compliance process as a one-time project, and once they had achieved initial compliance and certification they didn't maintain the effectiveness of the security controls, solutions, etc. and effectively stopped adhering to the requirements of the standard.

A few months later, the company suffered a breach as a result of a targeted attack that exploited a weakness in one of the company's externally facing application- a vulnerability that could have been prevented if security controls and processes had been followed.

Had they used a different approach to compliance, the breach could have been detected in time and therefore prevented.

Contributed by Nadav Shatz, managing director, Comsec Consulting UK