CMMI Institute


The latest information for media, analysts, and others interested in the CMMI® Institute and process improvement.

Resilience, Not Compliance, is a Real Cybersecurity Strategy

By E. Doug Grindstaff II, CMMI® Institute Sr. VP of Cybersecurity Solutions

Compliance is not a cybersecurity strategy. Yet it still passes for one at many companies, as pressure to comply with proliferating cybersecurity and privacy frameworks and regulations keeps drawing focus away from the real strategic imperative: cyber resilience.

It’s easy to understand the compliance-driven mindset. People in the unenviable position of safeguarding their companies’ valuable data must work to satisfy many masters, whether they’re staving off regulatory enforcement, placating skittish boards of directors, or allowing their staffs the satisfaction that comes from checking a box in a framework that—at least in theory—indicates a win against the bad actors out to damage their company.
The pull of compliance is only getting stronger by the day. Consider, for example, that May 2019 marked the one-year anniversary of the deadline for implementing Europe’s General Data Protection Regulation (GDPR), a rule with global reach and enforcement power to the tune of billions of dollars in fines. Today, companies around the world are still struggling to comply. “California GDPR” is coming up fast, in January 2020, and many other states and countries are following suit.

But compliance is only very good at solving one problem: compliance risk. Beyond that, it is informative but not very helpful when it comes to mitigating enterprise cybersecurity risk. What’s needed is a risk-driven culture of resilience characterized by environmental and situational awareness, first-rate training, habitual testing and persistent vigilance. All of the compliance in the world will not deliver that.

Compliance is a Lagging Indicator
The challenge with compliance is it’s a lagging indicator in a fast-moving world. By its very nature, a consensus public-private sector framework or a government regulation takes time to produce. For instance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.0 was published in 2014; Version 1.1 was released in 2018. Regulatory standards stay on the books for years while the entire world changes around them.

One way or another, these are primarily look-backs, based on how other companies have been breached in the past. But you need to prepare for threats that are emerging. And while other companies’ problems can be instructive, you need to focus on the most relevant risks to your company—not theirs.

The Immediacy of Cybersecurity
For me, this brings Jeff Bezos’s “day one” concept to mind. Every day is a fresh day, with all new threats from people trying to destroy your business. The immediate, incessant questions should be these: What are the risks to your business? Which are the greatest threats? Are your capabilities sufficient to tackle them? How are you building resilience against them—every day? How are you training for them, testing your mettle and assessing your defenses in the moment?

This is a very long game, and it cannot be a game of chase—as in, evaluating the readiness of your cybersecurity program based on how others have already been breached. Instead, a customized, resilience-driven cybersecurity program prepares you to take a punch and stay on your feet. Because you will take a punch.

I’ve met with strong proponents of this resilient approach—including a Fortune 500 company that is now a best-practice leader, in part because it suffered a devasting breach in the past. What this company now does involves a mix of tracking the bad actors it sees as its greatest threats, mapping their moves with predictive analytics, consulting the intelligence community to keep up with new threats, simulating attacks on its own data, retraining employees and recalibrating systems based on how well they survived these “attacks” and, importantly, incentivizing resilience.  

Not every company has the resources to perform like this at scale. But each element of this program is relevant to all.

The Road to Resilience
Trying to answer this challenge with a sea of spreadsheets, as so many still do, can drain the resources of any organization. For one thing, frameworks overlap with each other, but also have differences. How do you prioritize? How do you make sure you don’t duplicate work? How do you comply with these frameworks most efficiently, while reaching beyond compliance to prioritize your company’s actual risks?

My conversations about these issues with those on the cutting edge—and those suffering a thousand cuts—have all informed the development of the CMMI Cybermaturity Platform.

The CMMI Cybermaturity Platform provides the foundation for a necessary shift toward a cyber-resilient culture in which you can manage the challenge more strategically, dynamically and effectively. And the platform also embraces the regulatory challenge. While it foregrounds your organization’s unique risks, it also shows how your cybersecurity capabilities align with important regulatory frameworks.

You’ll never get to “all-clear” in today’s cyber risk landscape. Resilience is the order of the day.