Compliant. Certified. Still Insecure?
It is essential that organisations ensure they comply with regulations (like GDPR, NDB etc). Failure to follow regulations can lead to huge fines. I have spoken with clients who state that they don’t believe that regulatory bodies would necessarily hand out significant fines. My question to them is – “Do you want to put that theory to test?”. Insert a smile.
Complying with regulations and newly evolving standards, encourage an organisation to implement improved security standards and more robust incident response plans. However, this does not guarantee that an organisation will not suffer a data breach.
Compliance, while unambiguously an essential and a good thing, does not equate to security. It does not guarantee it. I see many CIOs and CISOs fall in the trap of Compliance = Security. It does not. Equally, I see many CIOs and CISOs approach cyber security with a checklist. They tick items off to achieve security. Achieving cyber security requires a relentless commitment to standards. And it requires continuous adherence.
Too many organisations achieve compliance just-in-time and believe the job is done. It is not. When it comes to cyber security the job is never done.