Cybersecurity Risk vs. Compliance: What is the Difference and Why It Matters
When it comes to cybersecurity, much of the discussion and emphasis has shifted from “compliance” to “risk.” So, what is the difference? Compliance is like addition and subtraction – you know the things you memorize, while the risk is more like calculus – the things you have to figure out.
The nature of risk and compliance are also different in the ways we think about them. We usually think of risk as a top-down, vertical, most relevant to the least essential set of controls. You can’t eliminate risk, so you have to evaluate and prioritize. Compliance is many times thought of a being on a horizontal plane with all of the compliance controls, mandated, having the same importance.
What do we do when resources and time constraints do not allow us to accomplish everything? We automate what we can. With automation software, STIG compliance cost and effort can be reduced between 70% and 90% in dealing with the RMF/ATO process. Using machines and technology to automate compliance efforts ultimately frees up team members to focus on important risk objectives that require human thinking and attention.
AFCEA Cybersecurity Worldwide TV – http://www.cybersecuritytv.net/Series/STIG-Compliance-TV