On February 9, 2021, NetSPI’s VP of Strategic Accounts Mary Braunwarth was featured in SC Magazine:
Security leaders, especially in highly regulated industries, are overwhelmed because their security decisions solely comply with audit and regulatory frameworks.
Many have to comply with HIPAA for healthcare, PCI DSS for credit card handling, and the Office of the Controller of the Currency and FDIC for financial services, leaving security teams fatigued and unable to innovate. Over time, their strategy mirrors their organization’s regulatory and compliance demands. This impacts the maturity of security programs and exponentially increases an organization’s risk, making it susceptible to cyberattacks and even nominal regulatory fines. For example, the Citibank incident, in which Citibank was fined $400 million for falling short in its regulatory-driven risk management processes.
Over the years, I’ve observed that security leaders lose control of their programs because they try to meet the ever-growing demands of regulators, line of business, expanding attack surface, and third parties – the list goes on. It’s critical for security leaders to drive an organization’s security strategy – not the second line of defense (risk management) nor the third line (auditors), nor regulators. After all, it’s the security leaders who inform executives and board members of the risk to critical information assets and how to manage it – and whose jobs are on the line.
My recommendation? Security leaders should pivot from their institutionalized regulatory and audit-driven security programs to one that focuses on both risk and compliance.
Read the full article here: https://www.scmagazine.com/perspectives/rethink-your-cybersecurity-resiliency-using-a-risk-based-strategy/