Compliance Doesn’t Mean Your Organization is Secure

No matter the size of your organization or your industry, cyber security shouldn’t be about checking a box.

While compliance models like NIST, HIPAA and PCI establish a good foundation for privacy and security, meeting these standards doesn’t mean you have all your bases covered. Hackers are continuously pulling ahead in the cyber war, with increasingly sophisticated threats and zero-day exploits. So it’s probably not the best idea to limit your defenses to standards that are, on average, about two years old.

Some of the largest companies in the Fortune 500 have learned the hard way not to rely on compliance alone. For instance, during the now notorious breaches at Target, Neiman Marcus and other large retailers, many of the companies attacked were compliant with PCI standards for credit card transactions. But compliance did not stop hackers from breaking into databases and stealing credit card information for tens of millions of customers.

Similar examples abound in other industries. In February 2015, health insurance giant Anthem Blue Cross and Blue Shield experienced a massive PHI breach involving approximately 80 million customer records – despite the company’s compliance with NIST and HITRUST guidelines. Following the incident, analysts began raising questions about the general effectiveness of such standards in preventing breaches.

Faced with the costly repercussions of their respective incidents, none of these organizations can find solace in the fact that they met the security compliance standards. They can only take measures to improve their security postures and better mitigate their risks. In other words, they can close the gap between compliance standards and effective cyber security.

So how does an organization close the security gap? The answer depends on a number of factors specific to the firm’s systems, resources and priorities. However, some common approaches have been successful across a range of firms.

First, a company’s cyber security efforts need to be knowledge-driven. Although compliance builds a good foundation, it takes skilled risk assessment to determine where to focus investments. Performing multiple assessments over the course of the year allows a company to fine tune its security controls on an ongoing basis and keep defenses current. Just as a hedge fund’s investment strategy requires more than one day’s worth of data from Bloomberg, a cyber security program requires continuous assessment to be effective.

Many companies are also finding success in broadening the scope of intelligence to include Dark Web monitoring, and participation in information sharing and analysis partnerships between the private and public sector.

Of course, in a field where the rules shift rapidly, it’s always important to have security professionals who can keep up with the change. Having a dedicated VCISO or CISO to govern cyber security efforts allows a firm to close the gap between outdated compliance standards and today’s most prevalent threats.

If your organization has achieved compliance with cyber security standards, you have made a critical step in protecting your data and assets. But remember, it’s not about checking the box, and there is still a lot of work to do in building out your defense.

To learn more about how Gotham Security takes cyber security beyond compliance, contact us at 917.734.4120 or