Information security – risk v compliance-focused approaches

When organisations implement an information security programme, one of two lenses usually steers the direction of focus – compliance or risk.

Most businesses will consider both compliance and risk, with the focus largely determined by the sector operated in and the extent to which the organisation is regulated.

For example, a retail business might well focus its efforts on the measures required to be PCI-DSS compliant, while an insurance company is likely to focus heavily on data protection.

But regardless of compliance requirements, it’s important to overlay the lens of risk to ensure that cyber security efforts ultimately address the organisation’s own cyber threat profile and deliver fit-for-purpose business resilience.

Understanding the difference between risk and compliance

Taking a risk-based approach to information security is all about identifying the specific cyber threats the organisation faces and the areas of the business where a successful attack would have the greatest impact.

From this understanding, resources can be assigned to protect the confidentiality, integrity and availability of the company’s digital assets through a range of controls.

A risk-based approach allows the organisation to do this efficiently and cost-effectively, with the greatest areas of risk being given the most resources.

On the other hand, information security compliance is about ensuring that legal obligations, requirements and standards are met to prevent negative consequences such as legal challenges, fines and lost customers.

These standards often come from a range of areas including government, industry, financial institutions and sometimes even partners and customers. In most cases, there is a lot of overlap and cybersecurity is just one part of a wider set of standards to be met.

For smaller businesses, compliance-centric practices can be more pragmatic at first

For small to medium-sized enterprises, the scales usually fall in favour of compliance, at least initially. For example, as a supplier looking to grow its customer base and win new business, the need to become ISO 27001 compliant is becoming increasingly common.

Without this certification, some organisations simply won’t work with the third-party provider as it has the potential to negatively impact their cybersecurity resilience.

Smaller organisations don’t always have the internal expertise or maturity to implement information security from scratch without support, so a standard framework of requirements can act as useful scaffolding for a growing information security function.

For larger or enterprise-level organisations that have already taken the compliance approach, refocusing on risk can be hugely beneficial.

Of the two approaches, it is the one that best acknowledges the organisation’s context, aligning with day-to-day operations to mitigate the potential impact of threats.

For example, the organisation might operate in an industry that is highly exposed to DDoS attacks. This would create the need to divert more resources to this area and to mitigate the potential impact of a successful attack than it does to protect against phishing, which could pose a lower risk when accounting for industry context.

Why we always advocate addressing risk in information security

CRMG always recommends that organisations consider risk when it comes to information security. This is because you are far more likely to mitigate risks by directly addressing them than by merely going through the tick-box exercise of information security compliance.

However, to do this effectively, the security leader within the company must also be a realist – the organisation must have an appetite and/or the resources to implement a risk-based approach. If it doesn’t, compliance is likely to be the primary area of focus until it does.

For most organisations, there will be a need to combine both approaches. For example, they may be required to implement certain protocols by the government of the country they operate in, with standards also set by the financial institutions they work with. However, this should be augmented with a tailored risk-based approach where at all possible.

In reality, a pragmatic approach is best. Ultimately, it’s important to not lose sight of wider business goals, and this is where taking a risk-based approach will – by definition – keep you on track.

CRMG is highly experienced when it comes to supporting businesses in combining both risk and compliance approaches to information security. If you’d like to know more about how we can assist your organisation, contact a member of the team via the below.