Cultural engagement, regulatory roadmaps for a robust cyber posture

Why are so many organisations failing to meet regulatory requirements? The European Union has imposed €146 million in fines on GDPR violators in the first six months of 2024.

This is especially alarming given that several regulatory changes and new regulatory frameworks are expected in the coming months in the US, EU and UK. Cybersecurity and data privacy regulations are constantly evolving, yet organizations are unable to comply with regulations that were originally enacted many years ago.

But for a truly secure cyber posture, compliance is just the beginning. Indeed, organizational leaders need to ensure that they are not only following the frameworks that govern their industries and customer ecosystems, but are truly protected by the cyber defenses and solutions they have in place. In this sense, chief security and compliance officers could benefit from a mindset shift, looking at the culture of the company and treating regulations as guidelines—not goals in themselves.

Compliance should not be the end goal, as this mindset can turn compliance into a mandatory effort unrelated to the real benefits. In the case of data security, for example, the primary concern is not meeting CCPA, GDPR, and other privacy guidelines as an end in itself. It is about protecting user or customer data to maintain their trust and ensure uninterrupted operations.

Furthermore, achieving cyber compliance does not necessarily mean that an organisation’s data is automatically safe. A fully compliant organisation can still fall victim to attacks and breaches, although they are much less likely to suffer the worst consequences. For example, 3CX suffered a major data breach following a supply chain attack last summer, but the company confidently claims to be GDPR-compliant.

While regulatory frameworks can be extremely rigorous, they are still nothing more than frameworks, and security teams must treat them as starting points for finding potential gaps and mitigating risks across the organization, as the situation requires.

Having compliance badges is good for building credibility, but that credibility can crumble in the blink of an eye if an attack manages to bypass your defenses.

But it’s understandable why many people equate data security with compliance. In Europe, for example, GDPR is seen as a key regulation for the use of data to advance AI. In the United States, lawmakers are considering the merits of regulating AI data privacy in response to privacy concerns raised by the use of massive amounts of data in AI.

Digital privacy and cyber regulation are deeply intertwined, and navigating all the nuances can become quite complex. Often, compliance teams must pay more attention to the regulatory frameworks relevant to their audiences than to those relevant to their corporate location.

“One of the most confusing aspects of digital privacy law is its multifaceted nature, with laws that vary significantly across jurisdictions,” says Aaron Jackson of Dunlap Bennett & Ludwig. “The global nature of digital interactions has created a complex patchwork of privacy laws that businesses must navigate,” he adds.

Given these complexities, it makes sense that compliance teams often default to a “checkbox” mode. They may no longer have the resources and time to come up with strategic data protection controls that work for their specific use cases, so they rely almost entirely on regulatory guidance.

True data protection is not just about compliance. There are at least two other aspects to consider, namely governance and risk management. They form the trio of governance, risk management and compliance (GRC), which provide a framework for a holistic approach to managing IT assets.

To ensure that the entire enterprise landscape is properly managed, it is important to treat data management not as a standalone operation, but as part of a set of important activities that complement each other.

As Arik Solomon, Co-Founder and CEO of Cypago explains, “Given the overwhelming growth in the amount of data that every organization creates and consumes, today’s business environment requires a robust and integrated approach to GRC management.” He adds that “effective GRC management requires a holistic approach that considers governance, risk, and compliance as interconnected functions.”

The adoption of GRC has also inspired changes in corporate structures and operations. For example, chief information security officers (CISOs) previously reported primarily to chief information officers (CIOs), but now work with various heads of other departments or sectors of their organizations. Their roles are being redesigned as they try to coordinate their efforts to address emerging threats and more sophisticated attacks, underscoring the need for comprehensive GRC management strategies that apply across departments.

Changing the culture of an organization is easier said than done. It takes time to effectively change the way teams perceive security. However, here are a few points that encourage change for the better.

First, it’s crucial to understand that regulations are not end goals. CISOs can help change the culture around effective cyber compliance by taking steps to integrate regulations as part of regular processes wherever possible. Rather than undergoing periodic assessments, compliance should be achieved from the outset. Compliance is not a “set it and forget it” affair, but an ongoing priority.

Second, it’s important to highlight the benefits of the change. As Nik Hewitt of TrueFort notes, “Recognizing that the security team is actually facilitating better work and increasing productivity can be a major factor in greasing the wheels toward adoption—and can bolster additional support from department heads to promote best practices for their teams.”

It is also important to point out the negative consequences of lax security practices. Indeed, there are potential financial losses when organizational cultures do not evolve to become more effectively compliant, from regulatory penalties to loss of customer trust. These are important details that everyone in the organization must understand.

In addition, regular and ongoing training is a must. It is important to equip everyone with the knowledge and tools needed to smoothly adopt a culture of meaningful cyber. Training sessions also serve as opportunities to communicate the benefits and challenges of changing the culture. In addition, ongoing training is necessary because of the typically high turnover of compliance-relevant roles and the rapid evolution of both threats and compliance standards.

In addition, it is important to maintain detailed records and processes. Proper documentation and complete record keeping are important to ensure accountability, accuracy and traceability.

Finally, organizations should adopt a mindset of continuous improvement. Tracking progress is essential to overcoming the challenges of transforming a company’s culture. It’s important to spot problems and resolve them quickly, while remaining vigilant to keep threats at bay.

Regulations help organizations comply with standards, but their positive impact is unsustainable if the culture of the organization is not aligned with the core purpose of cyberspace. Organizations must reform their core internal policies, practices, and processes to implement proper data management and security. Regulations are important for compliance, but they are not the end goal. Instead, they serve as guides to establish a culture change that makes good policies, rules, and procedures part of core operations.