In today’s complex world, CISOs face increased pressure to provide a winning value proposition to their organizations. 

Sometimes that sets up a clash between compliance and risk management. 

Risk management, by its predictive and strategic nature, tends to create value.  By spinning out risk scenarios and identifying potential risks, businesses should benefit from new and innovative processes that could augment revenue, reduce operational costs, and empower executives and board members with actionable information to make the right business decisions. 

Obviously, security teams cannot provide ironclad protection against risk, because foreseeing every possible scenario is not guaranteed, since risk is constantly evolving.  Because it allows businesses to take steps to create value, risk management has a value beyond just minimizing risk. 

The compliance component is a different beast.  Compliance is valuable because it instills a rigor that organizations are required to take seriously.  There is a school of thought that states that a robust compliance program will make you secure. 

Compliance requirements are very specific, very reactive, and very prescriptive.  The guiding principle is to lay out some best practices.  Since the scope is narrower than risk management, and broad interdepartmental transparency is not required, compliance does not necessarily assure a more comprehensive protection security teams are seeking.

If you do not comply, though, you get fined. 

There is a juggling act between compliance and risk management that is harder to maintain in times when resources are tight.  Organizations may not have the budget to assure the best risk management strategy while also fulfilling the compliance requirements necessary to avoid sanctions and correspondent reputational damage. 

That creates a dilemma requiring some tough decisions.  Oftentimes, organizations find themselves having to focus on compliance when 1) they know it is not offering top protection and 2) it doesn’t make sense within their risk profiles.  When regulators ask for something, it must be supplied. 

Moreover, some businesses have multiple and sometimes overlapping regulatory frameworks to comply with.  As they cannot present the same evidence to different frameworks, compliance becomes a burdensome business requiring an army of people to prepare and present evidence for regulatory requirements several times a year.  

It is time to bring people into a room and hash out a proposal to consolidate regulations that comply more cost effectively thereby leaving more money available to focus on broader risk management.  When you look at the cyber component of regulations, a lot of things are duplicated.  Passwords are passwords, no matter what your business does.  Our business is constantly evolving in these volatile times, and it is time for the regulatory landscape to keep pace with this ever-changing environment.