Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Why Security Can’t Live Without Compliance

 A risk-based Approach to Security Can Help Organizations Reduce Risk, Lower Costs, Improve Response Readiness, and Increase Risk-posture Visibility… 

 A risk-based Approach to Security Can Help Organizations Reduce Risk, Lower Costs, Improve Response Readiness, and Increase Risk-posture Visibility… 

When it comes to determining an organization’s security posture, it is a commonly held belief that performing vulnerability management will address any threats and minimize the risk of a data breach. However, without putting vulnerabilities into the context of the risk associated with them, organizations often misalign their remediation resources. This is not only a waste of money, but more importantly, it creates a longer window of opportunity for hackers to exploit critical vulnerabilities. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw. Therefore, even vulnerability management needs to be supplemented by a holistic, risk-based approach to security, which considers factors such as threats, reachability, the organization’s compliance posture, and business impact.

So, what is the relationship between IT security, risk management, and regulatory compliance?

Let’s start off with an organization’s security posture, which is often mistaken to be the same as its exposure to vulnerabilities. However, there are far more factors that influence an enterprise’s security posture. For example, without a threat, a vulnerability cannot be exploited. Another limitation is reachability—if the threat cannot reach the vulnerability, the associated risk is either reduced or eliminated.

Security and ComplianceIn this context, an organization’s compliance posture plays an essential role, as compensating controls can be leveraged to prevent threats from reaching their target. According to research conducted by Verizon Business, a majority of incidents are avoidable through simple or intermediate controls. This illustrates the importance of compensating controls in the context of cyber security.

Another factor in determining the actual risk posed by a vulnerability is business impact. Vulnerabilities that threaten critical business assets represent a far higher risk than those that are associated with less-critical targets.

Altogether, an organization’s focus should be on risk and not just security, which brings us to why security cannot live without compliance.

To gain insight into their risk posture, organizations must go beyond just assessing threats and vulnerabilities. They need to consider compliance as well as business impact. Only a combination of these three factors assures a holistic view of risk. Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

In general, there are three major elements of a risk-based approach to security:  continuous compliance, continuous (security) monitoring, and closed-loop, risk-based remediation.

Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. The use of continuous compliance can reduce overlap through a common control framework, increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.

Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.

Lastly, closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement. By establishing a continuous review loop of existing assets, people, processes, potential risks, and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment into security operations personnel, purchases of additional security tools, etc.).

By leveraging a risk-based approach to security, progressive organizations can reduce risk, lower costs, improve response readiness, and increase risk-posture visibility. A good example is Fiserv, a company that serves the financial services industry with a broad spectrum of payment and account processing solutions. The company uses a risk-based approach to security and dynamically aggregates and correlates financial, operational, and IT key risk indicators (KRIs) from multiple and diverse controls to detect system vulnerabilities so identified risk can be effectively mitigated. This approach has reduced the time it takes to produce risk profiles from six to three months, while shortening the policy control process from four to two months. As a byproduct, Fiserv has achieved increased credibility with its board, management, and regulators. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.