• United States




Taking cybersecurity beyond a compliance-first approach

Feb 19, 20186 mins
ComplianceData and Information SecurityNetwork Security

A compliance first approach to security is fundamentally insecure. It's time for companies to change the mindset, go beyond simply meeting regulatory requirements and focus on truly protecting data.

Stack of legal documents with compliance and regulatory stamp
Credit: Thinkstock

The cybersecurity landscape is plagued by the fact that cybercriminals seem to be permanently one step ahead and rather than addressing the problem, it seems that regulation is, in some cases, compounding the problem. Understandably, many organizations are opting to define security policies based on regulatory requirements, however the result is that their security postures become very quickly out of date. Not only are regulations typically at least 24 months old by the time they are implemented, but a compliance-only approach actually provides hackers with an ‘access blueprint’ – as weaknesses in the security model that are not covered by regulation are clearly visible.

Disturbing trend

With high profile security breaches continuing to hit the headlines, organizations are clearly struggling to lock down data against the continuously evolving threat landscape. Yet these breaches are not occurring at companies that have failed to recognize the risk to customer data; many have occurred at organizations that are meeting regulatory compliance requirements to protect customer data. 

Given the huge investment companies in every market are making in order to comply with the raft of regulation that has been introduced over the past couple of decades, this continued vulnerability is – or should be – a massive concern. Regulatory compliance is clearly no safeguard against data breach.

Should this really be a surprise, however? With new threats emerging weekly, the time lag inherent within the regulatory creation and implementation process is an obvious problem. It can take over 24 months for the regulators to understand and identify weaknesses within existing guidelines, update and publish requirements, and then set a viable timeline for compliance. During this time an organization with a security strategy dictated by compliance is inherently insecure. Furthermore, these are catch all standards that are both open to interpretation and fail to address specific business needs or operational models – immediately creating security weaknesses.

Hacking blueprint

Yet despite this obvious vulnerability, organizations are actually moving towards a compliance first model, rather than away. Rather than extending the remit of the Chief Information Security Officer (CISO), growing numbers of organizations are recruiting Chief Compliance Officers (CCO), effectively side-lining the data security requirements of the business. Compliance is important, clearly, but it should be a subset of the overall security strategy – with the CCO reporting to, not replacing, the CISO.

Following this attitude to its logical conclusion can only further undermine an organization’s security posture: organizations looking to meet compliance requirements may avoid penalties, but they are not secure.  In fact, by taking a compliance-first approach, organizations are effectively advertising their security posture to hackers. A published regulation, while open to some interpretation, outlines requirements very clearly – effectively presenting a hacker with a network blueprint that highlights potential vulnerabilities.

Attaining regulatory compliance is offering organizations a false sense of security on many levels – not only as a result of the new threat landscape but also when we consider the ways in which emerging connected technology is being used. The adoption of the Internet of Things (IoT) is a prime example of regulations’ inability to keep pace.  The Health Insurance Portability and Accountability Act (HIPPA), for example, has specific requirements related to patient data management – but a hacker breaching an IoT patient monitoring device may not just compromise a patient’s data but potentially his life if that were to tamper with its settings. Would compliance to the existing HIPPA requirements stand up in court should that patient’s family sue for mismanagement? Put a security expert on the witness stand and most probably not. Security teams know that prioritizing compliance demands over effective data security is wrong – and businesses that fail to listen will pay the price.

New mindset

The entire security model is flawed not least because most regulatory bodies are still adhering to the ‘secure the border’ model. Breach prevention, even breach detection, are not adequate security postures.  They assume a level of trust – that anyone or anything inside the border is trusted until proved otherwise. But this is patently untrue, as the raft of breaches – many of them undetected for months – reveal.

Organizations and regulators alike need to stop trying to build trust into an infrastructure and adopt a ‘Zero Trust’ mindset. This means decoupling security from the complexity of the IT infrastructure and addressing specific user/ IoT device vulnerability. Instead of firewalls, network protocols and IoT gateways, organizations should consider data assets and applications; and then determine which user roles require access to those assets.

Building on the existing policies for user access and identity management, organizations can very quickly use cryptographic segmentation to ensure only privileged users have access to privileged applications or information. Each cryptographic domain has its own encryption key, making it impossible for a hacker to move from one compromised domain or segment into another – it is simply not possible to escalate user privileges to access sensitive or critical data, meaning any breach is contained.

It is by creating a Zero Trust approach to data security first, and only then overlaying any specific compliance requirements, that organizations can lock down the business against threat and meet regulatory demands.


Organizations are understandably concerned about the financial penalties associated with failing to achieve regulatory compliance. But take a step back and consider the financial implications of data breach, of high profile customer data compromise. That is a far more significant cost and an event that will have long term repercussions on customer perception and loyalty.

This continued, even increasing, focus on compliance over data security is confusing.  These static regulations can never be up to date, can never provide organizations with the robustness of security posture required to protect data against the continually evolving threat landscape. The fact that these regulations are open to interpretation also creates potential weaknesses within the security architecture.

The blunt fact is that compliance driven security programmes do not adequately address the threat landscape because the focus is on meeting audit trail requirements rather than leveraging security innovation to effectively fight the latest threats. The model is wrong – and businesses are suffering as a result.


As VP & GM Americas Certes Networks, Jim Kennedy is a results driven senior sales and operations technology executive with experience in both large corporate and small startup environments. Jim has executive leadership in all aspects of sales management functions, driving sales teams to achieve extraordinary results, rapid growth, turning around underperforming sales teams, and complete profit & loss (P&L) management.

Jim has worked in international sales, business development, strategic partnerships and operations in over 20 countries globally giving him a broad experience in leadership including sales, sales operations, corporate strategy, corporate development, product management, industry solutions, value added service, and global operations.

With over 30 years of experience leading sales teams to growth of both product and services revenue consistently and predictably, Jim has a proven track record of increasing revenue and profitable bottom line growth, while spearheading operational improvements. Jim’s extensive expertise in various IT segments includes IT strategy development, software/hardware infrastructure, voice/data networks, IP telephony, video teleconferencing, software defined networking, hyper-converged computing; private, public and hybrid cloud technologies, network security, SaaS and overall IT-related services.

Jim is a recognized motivational leader with a reputation as a strategic thought leader who has a hands-on tactical execution that constantly delivers results, increase annual revenues, gross margin, drives change, and develops and attracts 'best-in-class" talent.

Jim has successful experience in private equity- and venture capital-backed companies, raising capital, mergers and acquisitions, mature companies, rapid growth companies, restructured organizations, successful sale of organizations and other strategic exits.

The opinions expressed in this blog are those of Jim Kennedy and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.