Cybersecurity Risk vs. Compliance: What is the Difference and Why It Matters
Cybersecurity for computer networks and systems just keeps getting tougher every day. New attack vectors and threats occur by the hundreds on a daily basis. Protecting systems and data requires massive defensive vigilance and action on the part of CISOs, CTOs, CIOs and the personnel that work for them at multiple points in the value chain of serving up information systems services to a needy customer base. Cyber incursions are happening at scale, bad actors are behind them, and we have to eliminate or mitigate the risk. In government, compliance usually deals with a law, regulation, or a standard that serves as the bare minimum to adhere to building a resilient environment and prevent chaos. Compliance does not equal risk management. Compliance is the minimum standard that serves as the foundation that can be measured and provide consistency across your information systems. So what comes first – risk or compliance?
Cybersecurity risk vs compliance continues to challenge all of us on how we secure our networks. Information Systems Security Officers (ISSOs) and others of their kind realize the overwhelming challenges of risk and compliance, and look to manage risk effectively to control the threat and prevent or mitigate bad outcomes. So, let’s back up for a second and ask the question, “What exactly is risk?”
And what exactly how does compliance exactly fit into the equation?
For Cloud providers, compliance is rewarded with FEDRAMP certification. For terrestrial applications and systems, it’s the Risk Management Framework, or RMF accreditation. The criteria for these compliance standards are continually changing, because information system operations, applications, developments and threats keep changing.