In recent years, ‘compliance’ has become a bit of a buzzword within the cyber security sphere. However, whilst companies have been concerning themselves with ticking regulatory boxes, they have lost sight of the outcome.
Compliance measures if a control is in place, but it does not measure the effectiveness of the control. As a result, businesses ask the wrong questions and make poor investment decisions — blinded by shiny new technologies and the coveted stamp of compliance.
An outcome-driven approach
Instead of conducting box-ticking exercises, organizations should be driving information security priorities and investments with an outcome-driven approach that takes their capabilities into account.
All too often, businesses assume they can quickly adopt new, sophisticated cyber security schemes where no such capabilities have been before. But this is not the case. Information security programs have to go through a maturation process, and these improvements take time. In much the same way you would teach a child to walk before teaching them to run, organizations’ cyber security programs have to grow up — mature — steadily, taking one cautious step at a time.
To…
