Generating Competitive Advantage Through Compliance

All too often security compliance is regarded as a series of hurdles the business needs to jump through in order to achieve accreditation. It can tend to be regarded as red tape and a barrier to getting things done.

But changing the mindset of the executive body so that regulations are regarded as helping rather than hindering ambitions can pave the way for the business to become more efficient and more competitive in the marketplace.

From a security perspective, cyber risk is the predominant factor in the decision-making process and this seems to contradict the primary objectives of the board, which are to save money, save it faster, make money, make it faster and manage risks that threaten those objectives.

Yet the two need not be conflicting if controls are applied in such a way that they allow the business to achieve those goals, rather than acting as an impediment. 

A good analogy here is Formula 1 racing. Racing driver, Mario Andretti, famously said: “It’s amazing how many drivers, even at the Formula 1 level, think that the brakes are for slowing the car down”. In actual fact, those brakes are there to provide the driver with the control to enter and exit a corner and in so doing, optimise the performance of the car and the time taken to complete the circuit. Similarly, compliance can enable processes and procedures to be better understood. 

Streamlined By Compliance

For example, there may well be changes or improvements that the business wants to make to software or systems to boost its competitiveness and it’s at this point risk and compliance can become an obstacle. However, if the business puts compliance first and implements the necessary processes, expectations can be met quicker. By putting processes X, Y and Z through the risk management lens, it becomes possible to see what elements are or are not applicable and what could confer competitive advantage versus what could constitute a block.

Let’s use the hypothetical example of a US company selling software to a non-aligned market such as Russia or China. That team would face export controls on its software. By identifying where those barriers to export are at the earliest stages in the process, the business can get the product into production more quickly without the need to retroactively engineer further down the line which would cause delays. The process is effectively streamlined in accordance with compliance requirements.

To get to this position, the board needs to actively engage with its responsibilities from a regulatory compliance perspective. Of course, compliance with cyber security regulations and standards is not optional – it is a legal requirement that protects the company from fines and reputational damage – but complying with regulations versus utilising them are two very different things.

To establish where the business is in terms of its compliance maturity, it’s necessary to ask some searching questions.

Questions To Consider

First and foremost, what role does the board play in overseeing the company’s cyber risk management and compliance strategy? Is it purely passive or does it seek to lead? Does the board seek to stay informed about the latest cyber threats and trends or is it simply reactive? How does the board evaluate the effectiveness of the company’s cyber risk and compliance management, and applied security measures? What measures are in place to ensure that the company complies with relevant cyber security regulations and standards? And how would the board describe the company’s approach to ensuring that there is an appropriate incident response capability?

The answer to these questions should ideally see the board taking an active role in the security management of the company.

Effective leadership in this regard will help the business stay abreast of relevant regulations and standards and ensure that compliance efforts are thorough and proactive. This is vital because the regulatory landscape for cyber security is complex and ever-changing, so the board needs to be aware of its legal and regulatory requirements on an ongoing basis.

Compliance with Digital Operational Resilience Act (DORA) provides a good example as its relatively recent. Being able to demonstrate compliance with the standard is one thing but being able to articulate that in terms of the controls and risk management processes that are in place can be a strong business enabler. From a marketing point of view, compliance with DORA marks the business out, signifying it has met stringent demands. This then allows the business to win new customers or renegotiate contracts from a stronger position, thereby bolstering its competitiveness. 

Personal Accountability

The general direction of travel with respect to regulations is that the board is increasingly being held accountable. Revisions to disclosure requirements such as the Securities and Exchange Commission Form 8K, NIS2 on the continent and possibly the Cyber Security and Resilience Bill here in the UK, all require senior management to be able to demonstrate oversight of risk management. A failure to do so could result in those individuals being held personally responsible, making it even more pressing this issue is addressed.

The reality is that the board must now get to grips with compliance and should regard it as another critical aspect under its remit.

But this needn’t equate to an increase in workload. Senior executives at board level seldom hold cybersecurity experience so it makes sense to put in place a risk management and compliance board to keep them informed. The committee should include members with diverse expertise in finance, operations, legal, compliance, and strategic planning and should seek to evaluate, mitigate, and monitor various risks, reporting back to and informing the board. In addition to providing compliance oversight, such a committee can also identify risk, review policy, evaluate internal controls and ensure reporting mechanisms are effective.

Aided by these personnel, the board can then begin to use compliance as an enabler that that informs the decision-making process and strategically allows the business to position itself to capitalise upon market opportunities.

James Eason is GRC CRA Practice Lead at Integrity360

Image: Ideogram

You Might Also Read: 

Six Steps On The Road To NIS2 Compliance:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Safeguarding Your Business: 10 Best Practices For Mobile Device Safety

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

StickyMinds

StickyMinds

StickyMinds is the web's first interactive testing community exclusively engaged in improving software quality throughout the software development lifecycle.

Napatech

Napatech

Napatech develops and manufactures high speed network accelerators specifically designed for real-time network monitoring and analysis applications.

SAASPASS

SAASPASS

SAASPASS is a full-stack identity and access management solution, a single product which allows you to manage all your digital and physical access needs securely and conveniently.

PECB

PECB

PECB is a certification body for persons, management systems, and products on a wide range of international standards in a range of areas including Information Security and Risk Management.

Cybersecurity Collaborative

Cybersecurity Collaborative

CyberSecurity Collaborative is a forum for CISOs to share information that will collectively make us stronger, and better equipped to protect our enterprises from those seeking to damage them.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

Naukrigulf

Naukrigulf

Naukrigulf.com is one of the fastest growing job sites in the Gulf, with thousands of registered job seekers and a robust CV database across many sectors, including cybersecurity.

ThreatModeler

ThreatModeler

ThreatModeler is an automated threat modeling solution that fortifies an enterprise’s Software Development Lifecycle by identifying, predicting and defining threats.

BitNinja

BitNinja

BitNinja provides full-stack server security in one easy-to-use protection suite. Enjoy real-time protection, automatic false positive handling and threat analysis for more in-depth insights.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

European Cybersecurity Competence Centre (ECCC)

European Cybersecurity Competence Centre (ECCC)

The ECCC aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres to build a strong cybersecurity Community.

Turngate

Turngate

Turngate simplify security investigations so you can see employee activities and entitlements in your enterprise in seconds.

CyAmast

CyAmast

CyAmast is an IoT Network security and analytics company that is changing the way enterprise and governments detect and protect networks from the pervasive threat of cyber attacks.