Compliance is important for many reasons including legal, regulatory, and insurance-related requirements. Compliance can also be helpful in establishing certain baselines for securing an organization’s digital infrastructure. However, by its very standardized nature, compliance is almost always very general, very broad, and very static. True cybersecurity resilience requires specific, tailored, and dynamic operations.

Nevertheless, compliance can be a very good place to start if you are trying to get your organization moving down the security path. Many organizations would find it challenging to launch a cybersecurity initiative without some outside direction. Compliance can provide some structure to such initiatives because it generally tracks widely agreed-upon guidelines for protecting an organization and its assets. Also, in today’s world of ever-increasing digital regulation, compliance helps avoid paying hefty fines imposed by regulatory bodies, is often required for insurance requirements, and may even be necessary to do business with certain types of clients.

For all of these benefits, compliance can be bad for security if used improperly. If compliance leads organizations to a false sense of security (e.g., “We’re compliant, so we don’t have to do anything else!”), it makes things worse instead of better. As an example, the NIST[^1] SP800-171[^2] document provides guidance for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” In other words, it is a government guide for securing important, but unclassified data. One of the first requirements is to “limit system access to authorized users, processes acting on behalf of authorized users, and devices.” For this specific requirement, compliance is based on limiting access to authorized users but says nothing about which users should be authorized. Technically, an organization might[^3] be compliant with this requirement by making everyone authorized. Even if this satisfies the requirement for compliance purposes it is terrible security and organizations that embrace this kind of approach to compliance will pay the price eventually.

Hence relying solely on compliance for security can leave organizations blindsided by modern, contemporary cyber threats. Let’s think of compliance as a frame of a house; while essential, it does not provide complete walls, windows, or other necessities like insulation. Because cyber-attackers are not static, a static defensive framework alone cannot defeat them! Therefore, Compliance is only useful to the extent it helps to build a “whole house” that can anticipate threats, adapt to unforeseen security changes, and incorporate new technologies.

As an example, cybersecurity training is crucial to good defenses but often manifests itself as ridiculous, time-wasting activities that are universally hated by employees. Cybersecurity resilience, capable of dealing with persistent adversaries, requires a culture where continuous learning is fostered and embraced. When this kind of culture is vibrant, from top-tier management on down, compliance requirements for regular security training and hands-on testing exercises will be successful, improving the organization’s collective ability to effectively identify and reinforce security problems. Without an engaged and proactive learning culture, training will “check the box” but will have little, if any, defensive impact.

At Crimson Vista, we offer advisory services to assist clients in maximizing their compliance initiatives. For organizations that are required to spend money on compliance targets, it is crucial to get the most real security out of their compliance budgets. Our investigative services play a pivotal role in pinpointing key data, forecasting potential threats, and detecting system vulnerabilities. This enables clients to not only meet compliance but to surpass it, producing a robust security posture.

NIST is the United States National Institute of Standards and Technology NIST Document

Determining compliance with any standard, including NIST SP800-171, requires a formal audit by competent (and sometimes specially credentialed) professionals. This document does not offer any advice on how to become compliant with any standard nor offers any opinion about whether or not a given configuration satisfies any related requirements.