Skip to main content

Go Beyond a Compliance-Focused Approach

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the risks involved in compliance-focused security.
  • Explain the importance of managing regulatory risk.

The Risks Inherent in Compliance-Focused Security

As emerging technologies continue to change the landscape of cybersecurity, compliance requirements are also evolving to keep up with the changing threat environment. Cybersecurity compliance is a reality for nearly every industry. And along with a degree of protection for systems and assets, cybersecurity compliance contributes to an organization’s ability to maintain a positive reputation, build trust and credibility, and avoid costly legal and regulatory penalties. However, there are several security and corresponding business risks inherent in cybersecurity compliance when business and security leaders take a compliance-focused approach to security. 

An imbalanced scale with different symbols on each side representing the various risks.

A compliance-focused (or compliance-first) approach to security is a strategy that prioritizes meeting regulatory and industry compliance requirements as the primary focus of a company’s security program. This approach often involves putting in place a series of security controls and practices to meet the requirements of various regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS).

The security and business risks inherent in a compliance-focused approach to security include:

  • False sense of security: Organizational leaders may become complacent after achieving compliance goals, assuming their systems are fully secure. This can lead to lack of attention to ongoing security threats and an increased risk of a breach.
  • Fear of noncompliance: The fear of the consequences of noncompliance (fines, reputational damage, damage to commercial partnerships) can cause organizations to focus on demonstrating compliance with security standards rather than ensuring the security measures they take are appropriate to their operations.
  • Limited visibility: Compliance-focused security measures may not provide complete visibility into all potential threats, creating “blind spots” in your cyber risk management strategy and a larger, unseen, attack surface.

In other words, establishing a secure foundation by focusing, primarily, on compliance with cybersecurity laws and regulations is like securing the front door but leaving all the windows open. Successfully securing the front door of a house with interior and exterior locks can provide a sense of security. However, leaving the windows open creates multiple vulnerabilities that can be exploited by intruders and insider threats. 

The same is true for cybersecurity compliance requirements that provide a minimum set of standards that organizations are required to meet. But they do not necessarily address all the potential security risks and threats that organizations may face. Therefore, it’s important to take a comprehensive approach to cybersecurity that includes not only compliance measures but also proactive security measures to ensure that all potential entry points are adequately assessed and protected.

Compliance Risk vs. Regulatory Risk

Compliance Risk

Compliance risk refers to the potential for a company to experience losses (for example, financial, reputational) due to its failure to comply with laws, regulations, or industry standards. For example, noncompliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) can result in fines of up to $50,000. In addition, costs associated with responding to a data breach, including legal fees, remediation expenses, and damage to reputation, can be significant. 

Regulatory Risk

Regulatory risk refers to the potential for a company to experience losses or other negative effects due to changes in law and/or regulations. For example, ransomware is one of the most recent issues that was a regulatory risk for years, meaning while ransomware was a problem, there were no laws, regulations, or industry standards in place requiring companies to implement security measures. Then, because of the rising sophistication and number of ransomware attacks, the regulatory risk was realized.

In March 2022 Congress signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires critical infrastructure companies, including financial services, energy, and healthcare to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).

Managing Regulatory Risk

Managing regulatory risk involves holistically assessing and mitigating security risks beyond compliance risks because the focus is on security threats that could potentially impact your business at multiple levels (for example, industry, market, sector). For instance, a regulatory risk assessment could reveal potential new security laws that could: 

  • Increase the costs of running a business. For example, data protection requirements like data backups can be costly to set up and maintain.
  • Change the competitive landscape. For example, meeting standards like PCI DSS can give some companies a competitive advantage over others that are not able to meet them.

If a regulatory risk assessment reveals the potential for new cybersecurity laws or regulations, there are ways to prepare.

  • Engage with legislators. Provide input and feedback on the proposed law to ensure your perspective is considered during the legislative process.
  • Review and update cybersecurity policies. Review your cybersecurity policies and procedures to make sure they align with any new or proposed regulations or standards.

By incorporating a compliance program and regulatory risk management in with your existing cybersecurity risk management program you can future-proof your cybersecurity risk management culture to protect both the organization and its stakeholders from the negative impacts of cyber threats to help ensure the emerging future of the organization is secure and resilient.

Sum It Up

Now that you learned more about the risks inherent in compliance-focused security and how to manage regulatory risks let’s explore a secure digital future.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback