‘Compliance Isn’t Security’: 5 Keys to a Better Approach


To reassure themselves and their stakeholders that they are properly responding to cybersecurity threats, many organizations rely on audits that demonstrate they’re adhering to compliance mandates and therefore addressing such risks. Indeed, a study by IDGfound that 66% of organizations say spending on security is driven by those rules and regulations. Unfortunately, cyber threats usually outpace regulatory requirements, so compliance alone does not guarantee security.

“No matter how many times security pros say ‘compliance isn’t security,’ there are auditors and regulators who think it is,” Pete Lindstrom, VP of Security Strategies at research firm IDC, was quoted as saying in the IDG report.

The alternative is to develop strategic security plans that are based on the best information available at the moment. By their nature, compliance mandates provide guidance that is likely to be at least a step or two behind current risks, which are ever-evolving. And to ensure that resources are being properly employed, organizations need to take a risk-based approach to cybersecurity — one that prioritizes the dangers and allocates resources first to those that pose the biggest threat.

That’s not to say that organizations should avoid a structural approach in guarding against cybercrime, that compliance can be disregarded or that audits and auditors are unhelpful. In fact, there are many ways in which organizations can standardize, centralize, optimize and report on cybersecurity controls and their compliance status. One of these ways is by following the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, which provides guidance on enhancing the internal control function through a risk-based approach.

The COSO framework identifies five key components that organizations should adopt to successfully reduce risk.

  1. Control environment: The control environment refers to an organization’s standards, processes and structures for carrying out internal controls. Top management needs to establish the tone to make it clear the high importance it places on such controls and the need for the rest of the organization to comport with them.
  2. Risk assessment: Risk analysis helps identify and manage areas that could hinder strategic business objectives. Risk assessment should be identified at an organizational level, but also on a more granular level as required for business units, processes, systems and data. As risks are being assessed, the organization also needs to consider its risk tolerance and decide upon the levels at which risks are accepted or require responses.
  3. Control activities: To mitigate risks and achieve business objectives, the organization should put in place detective and protective controls. As with risk assessments, these controls should be considered at all levels of the business. To maximize effectiveness, organizations need to understand the control’s ability to drive down risk. Some risks will require multiple controls, and not all will require the same level of attention. This level of information helps organizations identify gaps, prioritize their efforts and optimize value.
  4. Information and communication: Reporting on the effectiveness of key controls should provide management with the assurance that not only have the controls been implemented, but that they are driving down risk and support decision-making. When addressing the topic, security and risk professionals should speak in the language of business leaders and avoid IT jargon. The discussions should include a high-level overview, but drill down into detail for more context as needed. Security and risk professionals also will help executives make informed decisions by quantifying the risk in financial terms to demonstrate the impact and value of implementing controls. Reporting may also be of interest to stakeholders outside the business, so it is important this information is readily available and easily understood by those who may need it, such as:
    • Prospect customers who want confidence in an organization as a potential vendor
    • External auditors and regulators who want to check that the organization is operating within the law
    • Potential investors who want reassurance that measures have been taken to prevent avoidable risks, thus protecting their investments
  5. Continuous Monitoring:  In some cases, controls don’t have the desired effect. Therefore, it’s critical to regularly review controls, determine how well they are implemented and assess their effectiveness. This allows any identified weaknesses to be remediated in a timely manner. But this is not a one-off task. Building an effective internal controls program is an ongoing process as it needs to gain validation and be responsive to the changing environment. Progress should be reported over time and provide a sense of direction based on the critical risks.

In conclusion, controls assurance gives confidence to business leaders and other stakeholders that business objectives will be achieved within a tolerable level of risk. This allows the organization to steer its direction and avoid possible hazards along the way.

A well-established and executed controls assurance program can provide significant benefits to an organization, including enhanced security assurance, better responsiveness to threats, and maximum ROI on security investments. To learn more, view our webinar, A Risk-based Approach to Controls Assurance.