Compliance is not security. Security is based on compliance!
There is a straightforward way of debunking the believe that compliance is the same as security and that is the simple fact that well over 80% of the organizations that dealt with security incident were fully compliant with their standing security policies. There are several reasons why this happens. A very common issue is that policies are outdated and no match for the current risks. Another reason is that most policies are designed to reduce liability, and not to prevent incidents.
When we take that forward to cybersecurity, we see that pattern even become worse. Cybersecurity policies that are designed to pass the audits and have not been reviewed and updated in several years are very common. Those policies are not designed to constantly improve cyber resilience and grow cyber hygiene throughout the organization.
Security, and especially cybersecurity, is based on compliance with the right policies and standards. And that means that policies must be based on prevention and incident response, growth of skills and knowledge, and cultivating the right mindset!
Dr. ir Johannes Drooghaag – Spearhead Management