The Top 5 Signals Your Company is Prioritizing Compliance Over Actual Security
Kenny Scott
Aug 2023
"Show me the incentive and I will show you the outcome" - Charlie Munger's words ring true in today's digital age where data sharing between companies is commonplace. Companies want to signal to other companies their organization has achieved a certain measure of security and compliance. This article shows what to look out for in your company to make sure priorities are in the right place in protecting data, and not just about passing an audit.
Sleek v2.0 public release is here
Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi at ante massa mattis.
- Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent i
- Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
What has changed in our latest release?
Lorem ipsum dolor sit amet, consectetur adipiscing elit ut aliquam, purus sit amet luctus venenatis, lectus magna fringilla urna, porttitor rhoncus dolor purus non enim praesent elementum facilisis leo, vel fringilla est ullamcorper eget nulla facilisi etiam dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus ultrices in iaculis nunc sed augue lacus
All new features available for all public channel users
At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.
- Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
- Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Coding collaboration with over 200 users at once
Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.
“Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum”
Real-time code save every 0.1 seconds
Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget dolor cosnectur drolo.
"Show me the incentive and I will show you the outcome" - Charlie Munger's words ring true in today's digital age where data sharing between companies is commonplace. Companies want to signal to other companies their organization has achieved a certain measure of security and compliance. So, companies pour resources into achieving security standards, such as SOC 2, ISO 27001, FedRAMP, DoD IL5, and PCI-DSS, among others. This drives companies to strive for compliance. So, the question is, can you slap a compliance sticker on a company’s service offering even if the service offering has subpar security?
The Five
Here they are, in no particular order:
Over-Reliance on the GRC Team
If your organization's compliance is handled solely by one or a few people on the GRC team, with little input from other stakeholders, it may indicate that your focus is more on compliance than actual security. A more effective approach is to involve all stakeholders in the security process, to ensure that security measures are designed appropriately.
Policy and Procedure Documentation Engagements
If your organization has a large budget allocated to updating policy and procedure documentation, but only for the purpose of passing off something like the “**-1” NIST 800-53 controls, it may indicate that you are more concerned with compliance than actual security. Effective security documentation should be living and breathing and should be simple, accessible, and aligned with security objectives.
Only your GRC Team uses the GRC Tool
If only the GRC or Audit team is logging into the GRC tool, it may indicate that your focus is on compliance over actual security. The tools used for maintaining compliance documentation should be easily accessible to all stakeholders to ensure that everyone is aligned on security objectives.
Over-remediation of Vulnerabilities
If your GRC team recommends remediating every single vulnerability from the vulnerability scan result set, even when the vulnerabilities are not exploitable, it may indicate that your focus is more on compliance than actual security. Collaboration between GRC teams and risk solution owners is essential to prioritize the impact of known vulnerabilities and make informed security decisions.
Misaligned Communication of Security Capabilities
If your sales team, GRC team, security champions, and risk solution owners have different views on the security measures your organization implements, it may indicate a lack of alignment and focus on actual security. A centralized form of communication, as simple as a wiki or Google Workspace, can help ensure that everyone is on the same page.
Compliance !== Security
It is crucial to recognize that compliance and security are not the same thing, and centralizing compliance efforts without considering the input and ownership of security experts can result in significant risks for organizations. By involving security experts and tying compliance objectives to organizational objectives, organizations can ensure that their compliance efforts are aligned with their real security needs and that they can effectively manage risk.
Implement Risk Solutions
Don’t worry, if your organization is showing any of these signals, you are not alone. This is very common. I discussed a super simple way to enhance the collaboration around security and hence, enhance security capabilities in “Risk Solutions: A Step-by-Step Guide."
Don’t be Shy: Everybody’s Doing It
If you’re interested in learning more about implementing a best-in-class security program, follow me on YouTube, LinkedIn, and Twitter where I write regularly talk about these topics. Find the links below. #letsparamify
Kenny Scott
Kenny is an accomplished leader with a 16-year tenure in Information Security and IT Audit. He's widely acknowledged in the industry and has a profound dedication to it. In addition to his technical expertise, Kenny's portfolio includes substantial experience in business strategy, investment, and programming. On the personal side, Kenny is a devoted husband to Angie Scott and a proud father of five. A music enthusiast, he relishes playing the guitar and enjoys surfing when a beach is within reach.
