Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies

These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Making cybersecurity compliance work for you

Mark Thomas

Group CTO Cybersecurity, Dimension Data

Follow on LinkedIn

Explore the latest cybersecurity developments

Discover how the latest security threats are impacting on specific regions and vertical markets.

Get the insights here

Compliance requirements for technology, particularly concerning personal data, are steadily growing around the world. The most visible example is the General Data Protection Regulation (GDPR), a broad EU law that covers many aspects of private data protection and actions in the event of a breach. But it’s one of many. Earlier this year, the Notifiable Data Breach (NDB) scheme came into effect in Australia, requiring companies to reveal if a breach had occurred, among other compliance standards.

Some might cast this new wave of laws as political knee-jerk reactions to user data concerns about privacy. But they’re also a response to a growing tide of cybercrime, of which user data and credentials are often the focus. Already NDB has created a massive spike in reported breaches, indicating that many companies were simply not revealing attacks and hid the scale of the problem.

It’s not just about awareness. In many regions compliance is the only incentive for proper cyber resiliency practices. Many organisations are loathe to invest in security, instead focusing those funds on technology that drives innovation. Cybersecurity is still treated as an afterthought instead of a strategic component. Executive buy-in is lax, particularly when the scale of some cybersecurity projects becomes apparent. Boards, in particular, tend not to be cyber-savvy, leading to poor strategic choices. Compliance can help prompt different behaviour.

The standard messaging - that fixing a breach is much more expensive than preventing it - still doesn’t resonate as much as it should, though awareness is clearly higher than it was a few years ago . Our Executive Guide to the NTT Security 2018 Global Threat Intelligence Report (GTIR) highlights that protecting against compromise upfront is far less costly.

Why compliance matters

Compliance has become a necessity. This is increasingly apparent in places where regulations are still lacking, such as the APAC region. Here, investment in innovative technologies far exceeds cybersecurity investments, attracting threat adversaries that often use rudimentary attack techniques to greater success.

Implementing compliance helps establish a security baseline, and encourages the business to share similar security priorities across all of its units. It prompts companies to take a more risk-focused perspective on cybersecurity and dissuades them from relying on a very bad habit: that of thinking security is the problem of the CIO and other IT professionals.

Implementing compliance helps establish a security baseline. Read more @Dimensiondata. Tweet this

Technology today is pervasive and central to companies, commanding large budgets and massive influence on productivity. It stands to reason that the C-suite and other executives should have ownership in those systems. But technology and security cannot be separated, so it makes sense that security should be treated the same way. Yet, because it doesn’t have the same clear business driver benefits, security is rarely articulated on that same level.

Compliance, though, spreads risk across more than a few departments, prompting involvement across the board. This is why good compliance can help establish good security, as evidenced in 2015, where banks that complied to PCI standards also saw a notable drop in the success of cyberattacks against them.

Where compliance falls short

Yet, at the risk of sounding contradictory, good compliance doesn’t equate to good security. Indeed, it can have the opposite effect: companies can convince themselves that because they took care of compliance, security has been dealt with. This is a dangerous attitude because it’s not true.

Though compliance encourages a minimum security baseline, it doesn’t necessarily foster a healthy security culture. What’s the difference? Whereas compliance can be treated as a checklist that will pass the muster of audits, good security is an ongoing continuous effort that’s reflected through processes, user awareness and ongoing testing. In the Executive Guide to the NTT Security 2018 Global Threat Intelligence Report (GTIR) we highlight the importance of security being everyone’s responsibility.

Compliance establishes the levers for investment and follow-through from leadership, but it doesn’t create a security culture. It can even cannibalise security efforts - large compliance projects are often funded out of security budgets.

Another blind spot created by compliance is that most of the focus is on prevention. This isn’t bad, but it’s not enough to qualify as a cybersecurity culture. At some point, an organisation will experience a successful attack, where it will need several proactive measures to limit the damage. Compliance and other regulations don’t focus heavily on such scenarios. That can only be accomplished through a proactive security culture. It’s all about the expertise and investment to design, deploy and test cybersecurity plans - these are habits that compliance can help support, but not established.

The benefits of frameworks

Nonetheless, compliance is crucial and useful to begin those conversations towards a good cybersecurity culture, one that involves business strategy and processes. That being said, companies don’t have to wait for compliance to come knocking if they want to encourage this journey.

Frameworks such as the National Institute of Standards and Technology’s Cyber Security Framework (often just called NIST) bring a different proposition to the table. These are voluntary yet highly practical guides to establishing cybersecurity systems and cultures across an organisation. In some cases, the frameworks cater to specific sectors, usually as a way to avoid regulatory intervention from states. But ones such as NIST are sector agnostic.

They also don’t discriminate on company size, which is often a problem with compliance. Whereas large enterprises can usually afford behemoth compliance projects, smaller businesses rarely have that level of fiscal liquidity. Frameworks such as NIST give them useful, best-of-breed guidelines on how to implement security that works for them.

Compliance is key, but not all-encompassing. To appreciate its role, it’s important to understand the following:

  • Cybersecurity compliance is being driven by private user data, which can include customers, employees and the credentials used to access sensitive company assets.
  • Compliance is very useful to create a cybersecurity baseline and encourage both buy-in and investment from business leaders.
  • Compliance tends to function through checklists, whereas cybersecurity culture is an ongoing, living part of the business that should sit close to strategy.
  • Compliance isn’t sufficient to establish a cybersecurity culture, but can encourage the relevant buy-in and follow-through needed to create such a culture.
  • Tendencies to make security a business problem for the CIO instead of the whole company will harm cybersecurity culture, such as underfunding and poor event planning.
  • Compliance projects are often funded from security budgets, which could harm proactive security measures, and require a careful balancing act.
  • Frameworks such as NIST are voluntary but can serve as excellent practical guides to instilling good security practices and cultures.

Threat intelligence alerts!

Gain insight into the latest threats that could impact your organisation. We have insight from 40% of the world's internet traffic

Subscribe here

Related content

How we can help you

Managed security services

We offer consistent services to manage and optimise your security infrastructure.

Read more

Ransomware protection

Predictive cybersecurity protection to help you prevent, detect, and contain ransomware before it’s too late.

Read more

Security advisory services

We formulate processes and policies to help ensure that your business is fully compliant.

Read more

Careers at Dimension Data

Be part of our global team of cybersecurity experts.