At the end of the day, what exactly is cyber security and what falls within the scope of a cyber security program? We all probably have our own ideas of what is and is not cyber security. Having had an opportunity to speak with numerous CISOs, I find it interesting how different some of these ideas are even among the experts in the field. Taken as a whole, my experience is that there are two broad camps when it comes to answering this question. The first camp tends to point toward a compliance framework, the second camp tends to point towards an attacker or set of attackers.

I believe that historically, the cyber security industry grew up around this idea of frameworks. In a day and age when performing certain tasks like patching, account management, or defining really good policies, effectively reduced a considerable portion of organizational risk, compliance frameworks served an immensely important function. Without a framework, how do you measure the quality of a cyber security program? Without a framework, how do you know that your business partners can be trusted with your data? Without a framework, how can you gain support from leadership to improve your program? Compliance frameworks provide a much needed measuring stick against which we can compare and contrast while also setting minimum standards. Historically, compliance frameworks were also very effective at reducing risk as well. It’s no wonder they have been so widely embraced by the industry.

Customers now require our compliance. Regulators now require our compliance. Without compliance, in a lot of cases, businesses would not be allowed to do what they do.

While there is value in compliance frameworks, the rise in targeted threats has exposed their shortcomings. In no way am I supporting businesses throwing out their frameworks. Organizations should realize though that compliance with a framework does not necessarily make them secure. Just look at some of the recent breaches that have been made public. Most of those companies had strong internal compliance programs, were compliant with relevant frameworks, and were still compromised. When talking about targeted attacks, compliance no longer equates to security.

This is where the second camp of CISOs comes in. This group acknowledges the value of compliance frameworks, but they don’t stop there. They set a higher goal for their organization. They strive to gain complete visibility into their environment to better detect attacks. They strive to learn about who is attacking them so they better defend themselves. They realize that doing what everyone else is doing, may actually make them an easier target. Knowing what defenses are in place is the first step in defeating them. In short, they no longer focus on aligning to a framework, they focus on actually securing their environments.

There is a subtle difference here. In theory, compliance with a framework should make you secure. In effect compliance and security should be one and the same. The reality that many CISOs are dealing with is that they are not one and the same.  There is a difference. I’m amazed at how quickly a breach can move a CISO from the compliance camp to the security camp.

Morphick Cyber Security can give you visibility into what is actually happening inside your network. Based on those findings, we can also create customized solutions that fill the gaps and address the risks that only your business faces. When it comes to cyber security, there are no one size fits all solutions. Every business has their own unique environment housing unique data sets, which attract unique attackers. To move from compliance to security, contact Morphick.