I have posted a few articles about different security standards and frameworks, such as PCI-DSS, The Essential 8, ISO27001, NIST and others – and in my experience, there are some organisations that focus on compliance instead of security. People desperately chase the dogma of maturity levels or complying with every clause and sub-section of the standard, ignoring the actual aim – which is to increase security. By selecting only one framework or standard, people can miss out on other opportunities to improve the organisation’s stance. The question still remains – do you focus on compliance or security?

I will explain how a plethora of frameworks and standards is good, as it allows for different viewpoints and provides for subject matter diversity. I will also outline how no single standard has been written specifically for your business’ needs, and you will need to adapt and adjust your usage of frameworks to actually meet the needs of your organisation. Standards and Frameworks offer a baseline to get you started, but in themselves, compliance does not prevent security incidents.

Why follow a Standard or Framework?

There are many reasons why an organisation may follow standards or frameworks, such as;

  • They have a regulator / industry body insisting on compliance (think PCI DSS or HIPAA)
  • There is a legal requirement
  • To provide customers or partners with confidence in their security
  • To guide the organisation in how they approach cybersecurity issues
  • They have been hacked or had a “near miss
  • The organisation lacks maturity or capability to work it out for themselves (or the Board does not understand)
READ ARTICLE:   Change is about people, not policies

The organisation may end up picking one standard, and then start the work to implement controls and measures to comply with the framework. The problem comes when an organisation makes the decision to focus on compliance or security – they either miss important controls, or invest in the wrong areas – just because they are in the standard. However, there are many controls and recommendations that are in standards that are not useful, and some may even be obsolete.

Why pick one standard?

I have seen organisations make the decision to pick one standard, but then they are missing out on work that they should be doing. The aim of a framework or standard is to increase security – but some people miss that fact. None of the standards achieve – or claim to – a full and holistic cybersecurity stance that covers everything. So why focus on just one?

The crossover of standards

If you focus on compliance with just one framework, you could miss important measures and controls. For example – The Essential 8 mentions taking backups, but PCI-DSS does not. I have mentioned that The Essential 8 has controls that are a strange focus on individual issues, but does not recommend network segmentation like PCI-DSS does. NIST 800-53 has controls for the physical environment and personnel security such as screening, but this is not a focus of ISO-27001 and is only referenced in The Essential 8 at higher maturity levels.

The aim of all standards and frameworks is to increase security – and we need to ensure that the work we do on achieving compliance is within the context of improving security, and not just compliance for compliance’s sake.

READ ARTICLE:   Home isolation - is remote working the saviour?

We need to be careful of recommendations for ‘increasing maturity’ when it comes to compliance – but is maturity really a spreadsheet of green and red cells, with numbers moving gradually from red to green? Is that really security?

For those assessors and consultants who come in with a check-list, is that really a risk assessment, or just seeing if you are making the same mistakes as someone else? Someone who may be in a different industry and have different business needs, threats and exposure.

What to really do

I have written before on how to start, but it all boils down to understanding the business needs; people, process, technology and regulations – then understand the threats and risks, and what can be offered by solutions and measures. Then, make a plan, implement it, check it is working (against the business needs and other factors), and modify the plan and approach as needed. Keep updating as the horizon changes.

Share this knowledge