Home » Topics » Governance, Risk and Compliance » 3 cybersecurity compliance challenges and how to address them

3 cybersecurity compliance challenges and how to address them

Staying compliant: security teams can ill afford to keep their eyes off regulation requirements.

by Sadie Williamson

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity awareness month may have ended weeks ago, but the strict observance of cybersecurity best practices remains to be a priority for organisations across verticals. With the heightened aggressiveness and sophistication of cyber threats, every month needs to be cybersecurity month. Today’s business leaders acknowledge the need for better protection against cyber attacks, including the necessity of cybersecurity compliance, which puts CISOs as well as CCOs on the spot.

It is true that complying with leading cybersecurity frameworks like SOC2, NIST, CIS and ISO does not necessarily equate to having adequate protection. On the other hand, it is still important to follow legally mandated rules and policies as part of cyber defence building, and earning those trust seals can strengthen relationships with board members and prospective customers.

Proper cybersecurity compliance is easier said than done, though. Even the biggest organisations encounter difficulties in keeping up with regulations. Here’s a look at three of the biggest challenges organisations need to overcome as they defend their IT assets in line with cybersecurity’s various regulatory frameworks.

Top cyber security monitoring tools for your businessHere are some useful tools to help your business effectively and cost-efficiently bolster its cyber security defence arsenal.

Evolving regulations

Regulatory rules, policies, and requirements continuously evolve. They are updated or modified in response to various factors, including changes in the market, the way products are used, the threat landscape, and the laws or regulations imposed in specific states or regions.

Changes in regulations can be as rapid as the introduction of new products or the emergence of new threats and attacks. Thus, organisations need to be agile enough to keep up with regulatory changes. Unfortunately, not many of us have the ability to do this on our own. Cybersecurity skills shortage continues to be a problem when it comes to compliance. Many organisations lack the right people to properly address cyber threats, let alone continuously monitor regulatory changes.

The challenge of keeping up with changing regulations can be addressed with the help of resources that track updates for you. Often, these are related to specific business niches. For companies involved in credit and financial service operations, for example, the cybersecurity alerts of the National Association of State Credit Union Supervisors (NASCUS) provide up-to-date information on the latest regulations that affect those in the business of extending credit and other financial services.

There are also regulation monitoring subscription services that provide updates on regulations in general. Examples of these include Thomson Reuters Regulatory Intelligence, Deloitte Regulatory Alerts, Bloomberg Law Regulatory Alert, and PwC Regulatory Insights. These can help organisations maintain compliance with crucial regulations without having to manually keep track of all relevant laws and policies and analyse their impact on doing business. They also provide analysis and insights to help organisations align their operations with all legal requirements, avoid pitfalls, and overcome challenges.

Complex internal GRC requirements

Governance, risk, and compliance (GRC) is a phrase that refers to a framework employed by organisations as they set and manage their objectives, strategies, and operations in line with regulations, laws, and codes of ethical conduct.

GRC can be a tricky aspect of running an organisation, because managing it can be more complex than what many CISOs are used to in their daily cyber posture activities. Fulfilling, and even steering, the GRC requirements of your C-suite and board is hardly a straightforward endeavour, and often, integrating all three presents an even bigger challenge.

  • In the case of governance, it might be relatively easy to set the organisational mission and strategic goals, but it can be quite challenging to define roles and responsibilities, ensure accountability, implement effective internal control, and maintain oversight.
  • With risk management, there’s the overwhelming, ongoing process of identifying, prioritising and monitoring various types of threats, formulating risk mitigation strategies, and ensuring proper strategy implementation.
  • Meanwhile, compliance management calls for an organised way of setting internal controls and policies vital to meeting framework requirements, monitoring and reporting on compliance statuses, and quickly addressing issues that might lead to non-compliance.

The key to being effective here is the ability to bring together governance, risk, and compliance seamlessly and consistently. This is enabled with solutions like Cypago, a cyber GRC automation platform. Most aspects of governance, risk, and compliance management can be automated to ensure maximum visibility, robust enforcement, and solid efficiency. It also supports automated audits, including the collection of data from sources that are conventionally siloed to enable in-context gap analysis and better accuracy for reports and insights.

GRC is particularly important in heavily regulated industries not only because of the consequences of failing to comply with existing regulations. It is advisable for organisations to ensure good IT governance and sensible cybersecurity in light of the growing aggressiveness of threat actors and the high costs of cyber attacks. GRC can be highly complex, but it can be made manageable and efficient with the help of expert-designed automation solutions.

IT risk management best practices for organisationsExploring the IT risk management best practices that CTOs must implement to keep the organisation properly protected.

AI in cybersecurity

Another crucial challenge in complying with cybersecurity regulations is the prevalence of artificial intelligence. Many cybersecurity firms have put out products that are purportedly AI-powered. The problem is that there is no clarity as to how regulators deal with AI.

Fully autonomous cybersecurity solutions could pose dengers unto themselves, due to their potential vulnerability to adversarial AI attacks that can render them ineffective. Also, adversarial AI can lead AI-aided cyber defenses making erroneous decisions or assessments by polluting the data used by the automated decision-making processes of these systems.

The cybersecurity industry and regulatory bodies are still unsure if the use of AI in cybersecurity is safe and effective or if it only creates new unknown vulnerabilities that cunningly persistent threat actors get to exploit. Also, there are no clear specifications on what constitutes useful AI in cybersecurity. Anyone can claim to use AI in their solutions and face no consequences for the misrepresentation. Additionally, there are no mechanisms to evaluate if AI systems really work as intended.

In this sense, AI carries its “black box problem” into the field of cybersecurity, which means people have no idea how they work so they have no viable ways to test their effectiveness and troubleshoot them if they go haywire.

Regulators need to come up with better standards, policies, and rules when dealing with artificial intelligence, especially since it is already widely adopted. Even the loose use of the term “AI” in the marketing of cybersecurity solutions needs to be regulated. It can mislead users of security products, misrepresent capabilities, and create a false sense of protection.

For now, the best way to deal with the AI dilemma in cybersecurity is to stick to established cybersecurity brands. Leaders such as Crowdstrike and Palo Alto Networks have the reputation and track records to prove that they can deliver on their claims of AI-powered cyber protection, and they are not merely throwing out AI as a marketing buzzword.

The takeaway

Cybersecurity compliance should not be viewed as the be-all and end-all of cyber defence. However, it does matter. The challenges surrounding compliance should not be downplayed or ignored. Instead, they have to be addressed squarely and with an emphasis on building reliable protections against all threats and attacks.

Related:

Best GDPR compliance software for CTOsNot being compliant when it comes to data protection could cost your business millions. But using software to automate cybersecurity compliance can save you time and money.

Sadie Williamson

Sadie Williamson is the founder of Williamson Fintech Consulting. With over a decade in the fintech arena under her belt, she helps fintech firms to develop custom solutions targeting a variety of verticals. Her...

Related Topics

Compliance
Cyber Security
Data regulation

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise

Cybersecurity

How to set up a cybersecurity honeypot for your business

Honeypot tactics remain a widely explored aspect of business cybersecurity - here's how to get the best out of this strategy.