As the cybersecurity industry continues to introduce more regulation and compliance standards, I find myself questioning whether this continues to drive the right outcomes for businesses in reducing cyber risk.
The cybersecurity threat landscape continues to evolve and become increasingly complex. In response, we see the introduction of more regulatory measures and more compliance standards
These standards are intended to enhance the overall security landscape and ensure that best practices are consistently followed and adopted.
At least, that’s the intent …
Security standards often lack context regarding why certain controls are required and the cybersecurity threats they address. As a result, those security standards tend to represent similar types of controls, just with slight variations in wording or context.
Conceptually, I think about cybersecurity standards in the same way you use a car manual. You can read through the manual on each individual car feature and learn what controls to use to improve car safety.
But focusing just on the individual controls in that car manual doesn’t make you a good driver.
Becoming a good driver requires an understanding of the potential threats that exist when driving and the risks they pose to know which of those car features and controls are best applied and used in which situation.
The industry needs to evolve beyond just checklists of controls to build on stronger methodologies that show how controls are best selected and applied.
Comments