Compliance vs. Risk
As a company, we’ve tried to understand which organizations are most likely to mature their information security programs. It seems that the answer should be obvious: organizations with valuable assets or the need to have data highly available should be very concerned about information security. This could translate into organizations that have a lot to lose, ones that have high profit margins, or those involved with the nation’s critical infrastructure. Interestingly, this is generally not the case. In fact, the primary drivers for maturing information security within an organization are regulations or contractual standards with strong penalties for non-compliance. Why is this? One problem is that risk is very subjective. In a downturn, the risk equation can change dramatically. If you are fighting for the survival of a firm, it’s easy to justify not investing in information security. Compliance, however, is not as subjective. While there is room for some interpretation, compliance regulations and standards are stable, detailed, and consistent. This means that compliance is easier to justify, easier to plan for, and easier to assess. But while meeting compliance standards can be a very good thing, it does create a problem: risk is often left out of the equation. For example, payment card industry (PCI) data often gets more attention at hospital systems than does protected health information (PHI). Based on risk, the patient-related data and services should be classified as at least as important as the credit card information. It usually is not, however. Without a risk-based approach or a strong compliance standard like PCI, PHI won’t get the attention it deserves. (The PHI standards are being tightened somewhat, by provisions of the American Recovery and Reinvestment Act, or ARRA, passed this year by Congress.) Compliance can help speed the maturation process, and it is valuable in other ways, but it lacks the depth and breadth of a risk-based approach. Additionally, creating regulations and standards for all things that should be secured just isn’t possible. In an ideal world, organizations will take a more holistic, risk-based approach that includes compliance, but this may have to wait until the economy turns around.
Explore More Blog Posts
Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security
Explore the intricacies of UEFI security with exploration into emulation, dynamic analysis, and the LogoFail vulnerability. Learn how subtle input manipulations can expose critical firmware weaknesses.
Scaling Security with Modern PTaaS: Gartner Report Insights
Discover Gartner® 2025 insights on how PTaaS scales security with continuous validation, automation, and real-time remediation, and how NetSPI can help.
Why Continuous Testing is the New Standard for Modern Security
NetSPI's continuous pentesting delivers regular, tailored assessments across critical assets, customized to your organization's risk profile and operational cadence to ensure coverage where it matters most. These services are delivered through NetSPI’s leading PTaaS platform using existing workflows.