Compliance is a key part of any organization and, in business terms, it means ensuring that companies of all sizes and their employees comply with applicable national and international laws. In the UK, the Companies Act 2006 is the primary legislation which is the primary source of company law and businesses of all sizes need to ensure they adhere to it to remain compliant.
However, compliance is only getting tighter with each passing year. Regulations come and go, and companies often have to invest considerable revenue to stay compliant. Many companies often overlook security when ensuring compliance, but if you start from a security perspective, you will often automatically meet compliance needs and cover any tightening regulations.
Cybersecurity is a huge issue in virtually every industry today, with organizations needing to understand the threat landscape and think about how they can effectively respond to cyberattacks with a well-designed plan in place. With a data breach, it’s not about if it will happen, but when it will happen. The cost of a data breach – financially and reputationally – can be so high that it can no longer be ignored by organizations.
There are many cases of fully compliant organizations, yet they still suffered a data breach. In 2021, LinkedIn suffered a breach that affected 700 million users, Facebook suffered a breach in 2019 that affected 533 million users, and Yahoo! suffered a flaw in 2013 that affected over a billion users. The problem is getting worse, in 2021, 39% of UK businesses identified a cyberattack against them, and in 2022, the same number of UK businesses have identified a cyberattack against them, and we are only four months into the year. Compliance is therefore not enough.
Gary Hiberd, The professor of Communicating Cyber, said in the white paper “Mind the Cyber Security Gap – Why Compliance Isn’t Enough”, that by focusing on the people around the boardroom table and what they are trying to accomplish, we can reframe what we are doing to support and help them. The CFO usually wants to save money, so show them how cybersecurity spending can be better targeted. The CEO will want to increase market value, so show them how good cybersecurity can protect brand reputation. The sales manager will want to increase sales, so show them how they can use cybersecurity as a business differentiator and competitive advantage.
Business leaders can no longer ignore the growing cyber threat and must have security on the agenda not only at the board level, but also at all levels of the organization. But how do you think about your business case for security and get buy-in for cybersecurity projects?
Build a strong business case for security with compliance in mind
Every organization should invest in cybersecurity, with security leaders developing a compelling business case. Starting from a security perspective, compliance will often automatically be covered. Companies should therefore consider the following when trying to gain buy-in from the cybersecurity board:
1. Run a full compliance audit
You should perform a full inspection of your current security posture and note any gaps or areas that need improvement. This should include researching where confidential or sensitive data is stored and who has access to it. Insider threats are common, and many security actors don’t understand the risks of potential data breaches caused by malicious or even negligent insiders. However, it should be noted that not all data has the same level of risk. This process will likely take time, but it is necessary to get a full picture of the security measures that already exist.
2. Expectations need to be set early on
Cybersecurity is not a service or a product; it is prudent to show how protecting an organization from loss is the only way to gain financial benefit. Try to communicate to the board in figures, for example, show that a £1 investment would stop a security event which could potentially cost the company £10. This way it should be possible to get the board to vote for you by demonstrating the business case and return on investment in security and protection measures.
3 Choose the right investment areas
For the board to determine its security investment decision, you need to provide it with data that focuses on all the already obvious threat vectors, such as inadequate services for security awareness and training employees, processes and policies that are not properly applied and recorded. or a lack of data backup practices and patch updates. Formulating a risk/reward equation using a layered security approach is a good way to go, as you can then direct investments towards incident response and compliance detection.
4. Present a strong business case to the board
Once you’ve created a strong and compelling business case for your organization, you need to share the proposal with the board. When presenting your case to them, consider any questions they may have, their goal, and their general understanding of cybersecurity. Be sure to demonstrate the safeguards and points of proof required to support any budget request – these decision makers must be able to make informed decisions not only for an organization’s security posture, but for the organization as a whole. whole.
When submitting a strong business case for security adherence, it’s important to align your plan with your organization’s risks, needs, and compliance requirements. Every organization wants to be secure for the long term, but compliance requirements mean they often remain focused on the short-term cycle. Organizations must create a strong partnership between compliance and security if they want to protect their systems and data – a situation between one and the other will not work.
To learn more, we spoke to several experts with knowledge of security and compliance program management to share their experience of the disconnect between cybersecurity and compliance. To learn more, download a copy of our white paper “Mind the Cyber Security Gap – Why Compliance Isn’t Enough” now.