CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

A Compliance-First Mentality Increases Enterprise Risk

Author: Frank Downs, Director and SME, Cyber Security Practice, ISACA

Risk, in the context of cybersecurity, constantly looms in the minds of all information security professionals. From the introductory IT help desk professional to the seasoned chief information and security officers, threats, and their potential impact, can cause serious concern and stress if they remain unknown variables. Many organizations attempt to combat their unease and decrease their potential risk levels through conducting compliance exercises. Leveraging open-ended tools, defined by the organizations themselves, and combined with third party auditors, organizations attempt to meet broad compliance requirements in vain hopes that they will become more secure as a result. However, compliance is not risk and risk is not compliance. Only through actively assessing specific threats, and their potential impact, can businesses truly understand their cyber risk profile. Furthermore, only by applying their current cybersecurity controls and practices to their risk profile can an organization truly understand their defensive posture against the harsh wilderness presented by online operations.

When considering the array of mechanisms that organizations leverage to keep themselves safe online, very few options exist for comprehensive understanding of an organization’s defensive stance. The current slate of choices includes tools that can protect from common attacks such as phishing or data loss prevention. However, when considering overall assessments, very few capabilities and processes are leveraged – much to the dismay of the users who store their data and personally identifiable information in the databases of these companies. In reality, many companies focus on only a few main elements of security: compliance (which is actually not security), operational security and data security.  While operational security is important – in fact, without operations, security would not exist – it is key to remember that compromising other aspects of a company can lead to indirect operational impact.  For example, unsecured vendors, who can access the operations of an organization, provide a potential vulnerability ripe for exploitation by hackers or state actors. Additionally, data security, while important and requiring extra consideration, may relax if operations cease and funding diminishes. As a result, many organizations attempt to prove that their security stance exists holistically by meeting compliance measurements provided by organizations and governments alike. Yet, this sends many leaders and companies into a treacherous reliance on compliance as security. These leaders then operate on the dangerous assumption that suggests an organization in compliance must be secure.

Operating an organization with a “compliance-first” mentality puts everyone in the business at greater risk. Overemphasizing compliance, at the cost of security, functions similarly to overemphasizing children at the cost of a spouse. Compliance levels are like children in that they are what many in society use to baseline the health of a family. Well-behaved, well-kempt children often lead outsiders to assume that a healthy family life exists at home. However, if the children are the sole focus, at the cost of a spouse, serious issues may exist, that may not be readily evident, placing the family dynamic at greater risk. In the same way, compliance is often the public face of preparation and security for an organization. It is often scrutinized by international assessment organizations, third party auditing firms, and governments themselves. Yet, overemphasized compliance, at the cost of true risk assessments, creates a dangerous operating environment and an increased risk profile.

While the holistic cybersecurity scene seems bleak and concerning, hope is not lost. Specifically, organizations that apply a risk-focused approach to comprehensive security oftentimes find themselves in a strong posture for the headwinds of cybersecurity. Additionally, through conducting thorough cybersecurity risk assessments and determining their cybermaturity, organizations find that they can more easily achieve compliance for the requirements placed upon them by industry or localities.  Furthermore, thanks to tools such as the CMMI Cybermaturity Platform, conducting cybermaturity assessments, which determine an organization’s risk profile and assess the application of key practices and controls, organizations can understand the maturity of their security teams and overall security preparedness.

The cyber domain is a scary, yet necessary place for organizations and business to operate. Though threats lurk in every corner, security leaders can ensure that they are appropriately armored.  Understanding that cybersecurity risk assessments and maturity measurements, not just simple compliance, are the piece of armor to which all other efforts connect will help organizations prepare for the eventual attacks they will face.