Home Enews-Sept 2023 Are you drowning in compliance?

Are you drowning in compliance?

by STEVE MANSFIELD-DEVINE

As new mandates come online, most firms need to ensure IT systems meet changing regulations. But is compliance stealing resources from cybersecurity efforts?

Four out of five firms are more worried about compliance than they were five years ago, according to recent research from Hornetsecurity. In more than half (57%) of organisations, the IT department bears the load of compliance assurance, the study reveals.

“There are processes, organisational ard technical components. A given organisation may be beholden to multiple regulatory frameworks and governing bodies – each with its own ever-changing rules and requirements. On top of that, amidst the chaos of getting these controls into place, many organisations struggle to keep up with changing regulations.”

In many cases, this is complicated by the fact that different people within the organisation are responsible to various regulators.

“GDPR, for example, falls under the data protection officer’s remit, PCI or the Digital Operational Resilience Act (DORA) regulation might fall on business application owners, while NIS2 may come under an organisation’s CIO or CISO remit,” says Romain Deslorieux, director strategic partnerships for cloud protection at Thales.

Major distraction

However, at a time when many organisations are also struggling to ensure adequate cybersecurity, often with overworked staff, aren’t compliance efforts likely to have an impact?

“The burden of compliance can be distracting,” says Erfan Shadabi, cybersecurity expert at comforte AG. “Instead of proactively fortifying their defenses and staying ahead of cyberthreats, organisations may find themselves allocating significant time and resources to meet regulatory obligations.”

Compliance and security are not the same thing.

“While being compliant with certain regulatory frameworks does tend to improve a business’s security posture through documentation and good security practices, being compliant is by no means a guarantee of security,” says Hofmann. “There is also an argument to be made that IT departments that are focusing heavily on complex compliance requirements may mistakenly miss security basics.”

You may also like

Leave a Comment