Cyber Compliance is The Enemy of Cyber Security

Cyber Compliance is The Enemy of Cyber Security

March 6, 2018 Business Insurance and Risk Management, The Beacon Blog 0 Comments

In a blog posted 9/6/17 “Five Things Business Owners Should Know About Managing Cyber Risk” I wrote “Cyber security is not about a checklist of requirements; it’s managing an organization’s risk to an acceptable level”. In a post last month Jim Kennedy writes that a compliance first approach to cyber security is fundamentally insecure. His reasons:

  • Regulatory requirements are typically at least 24 months old when they are implemented, so they are already out of date.
  • A compliance only approach provide hackers with a blueprint to attack using security weaknesses not covered by regulations.
  • Regulations are open to interpretation and are not business-specific.

While compliance is important it should be subordinate to security. The growth of the Internet of Things means that cyber breaches not only damage or destroy data but are a threat to life and property. In the event of a claim compliance with regulations would be an ineffective defense to testimony that security was inadequate.

Kennedy argues that organizations and regulators need to adopt a “zero trust” mindset. Security should be decoupled from the IT intrastructure to focus on specific user or device vulnerability. Organizations should consider their data assets and applications and determine which users require access to specific assets. By using cryptographic segmentation organizations can ensure that only privleged users have access to sensitive information. Separate encyrption keys make it impossible for hackers to move from one domain or segment into another thus containing a data breach. Only after data is secured should organizations apply compliance requirements.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.