The Olympic Games are finally here! As you watch the track and field events, just imagine your surprise if one of the runners lined up facing the wrong way and ran backwards around the track. This would seem foolish or impossible, yet in many organizations today, this is how they “run the race” to managing cyber-risk, security, and compliance.
Budgets often start with compliance - what regulations and standards must an organization absolutely meet and comply with? There are dozens of different security and privacy laws, regulations, and standards that may apply to any organization today. So it is natural to budget money to meet these requirements that cannot be avoided. From these requirements, security measures must be put in place, requirements for how to handle data, network infrastructure, policies, and much more. Sometimes this is the end of the security budget, and sometimes this is just the core of a more expansive security budget. Risk assessments are often only included because one or more of the standards or regulations require them and no additional money is allocated to address or understand the risks to an organization.
In a perfect world, if an organization spent an appropriate budget to understand and address risk, this could be used to establish a security budget that fits this risk. Done well, this would then lead to appropriate compliance requirements naturally being met as part of the process. Unfortunately, even though this approach is the correct direction to run, rarely do organizations do this well, and when they do there are various challenges along the way that can derail the process.
After a thorough risk assessment, the identified risks must be translated into good security practices and confirmed that they meet the various compliance regulations and standards. The entire picture should be considered, from risk at the top, security as the core, and compliance as a finish line.
Most compliance requirements have the protection of some sort of data as the basis of the standard or regulation. With so many constantly changing requirements over many types of data, one of the best things you can do is to have a simplified and comprehensive approach to securing all your data. If you need to turn your organization in the right direction to run this race, contact us here or check out our compliance page so we can help you get ahead of your competition and win the data security race.