Compliance standards create false sense of cybersecurity awareness
Organizations increasingly cater security controls to compliance standards, but doing so could leave critical data and other assets vulnerable.
Being compliant is obviously not a bad thing, but relying solely on compliance for security can certainly become a problem...
Read further (scroll further down to read the rest of the article on that page) :
Head of CISO Services at LRQA
10yThis is a very good article, too often or not, there is a tendency to have a client say that they meet this standard and that standard and when it comes to the risk assessment, it does not look at the overall tempo or operational stance. The easy bit is preparing for the annual audit when compliance is checked, but what about the day-in/day-out posture that the businesses present on a continuous stance. Security controls shouldn't be a project where they are demonstrated once a year for the auditor..it should be in the background and ticking along ready to alert the business to a security alert at a moment's notice and not the usual scenario where they are notified by a 3rd party!
Senior OT Specialist at SektorCERT (Denmark)
10yGreat report - each time I read similar stories I am puzzled. Why are these "standards" apparently being used as "ceilings" instead of "floors" - as the minimum requirements ? Are certain levels of organizations not paying attention ? Ignorance is no longer an excuse. Our industry is full of experts who compete with other experts to publish detailed reports of how the bad guys break in. Further supported by organizations who collect and publish further trends and analysis. Supplemented by a huge array of conferences where we discuss these same reports. We have excellent advice - ie SANS Critical Security Controls but instead are we apparently just waiting for the next technology solution?