Cultural commitment, regulatory roadmaps for a dependable cyber posture

Culture change needed for compliance.

---

Why do so many organisations fail to comply with regulatory requirements? The European Union doled out €146 million in fines against GDPR violators during the first six months of 2024 alone.

This is especially alarming, given that there are several regulatory changes and new regulatory frameworks expected in the US, EU and UK in the months ahead. Cyber protection and data privacy laws continuously evolve, and yet organisations cannot even comply with regulations that were initially enacted years ago.

But for a truly secure cyber posture, compliance is just the beginning. Indeed, organisational leaders need to make sure they not only adhere to the frameworks that govern their industries and customer ecosystems, but are genuinely protected by the cyber defence solutions and mechanisms they have in place. In this sense, security and compliance executives might benefit from a change in mindset by looking at company culture and treating regulations as guides – not ends unto themselves.

Complying with regulations should not be the ultimate goal, as this line of thinking may turn compliance into a compulsory effort not tied to real benefits. With data security, for example, the main concern is not about meeting CCPA, GDPR and other privacy guidelines as an objective unto itself. It’s about protecting the data of users or customers to maintain their trust and ensure uninterrupted business.

Achieving cyber compliance, moreover, does not necessarily mean that an organisation’s data is automatically safe. A fully compliant organisation can still suffer from attacks and experience breaches, although it is considerably less likely to suffer the worst consequences. 3CX, for example, suffered a major data leak following a supply chain attack last summer, but the company confidently asserts that it ensures data protection in line with GDPR.

While regulatory frameworks can be extremely strict, they’re still nothing more than frameworks, and security teams need to view them as starting points for finding potential vulnerabilities and mitigating risks organisation-wide, as demanded by the specifics of their own situations.

Having badges of compliance is good for building credibility, but this credibility can collapse in a snap if an attack manages to bypass protections.

It is understandable, however, why many equate data security with regulatory adherence. In Europe, for example, GDPR is viewed as a key regulation in the use of data for AI development. In the United States, lawmakers are considering the merits of AI data privacy regulation in response to the privacy concerns raised over the use of massive amounts of data in AI.

Digital privacy and cyber regulation have become deeply intertwined, and navigating all the nuances can become quite complicated. Often, compliance teams need to pay more attention to the regulatory frameworks relevant to their audiences than those relevant to their corporation’s own location.

“One of the most intricate aspects of digital privacy law is its multifaceted nature, with regulations widely varying from one jurisdiction to another,” says Aaron Jackson of Dunlap Bennett & Ludwig. “The global nature of digital interactions has led to a complex tapestry of privacy laws that businesses must navigate,” he adds.

Given these complexities, it makes sense that compliance teams often find themselves defaulting to “tick the checkboxes” mode. They may no longer have the resources and time to come up with strategic data protection mechanisms that work for their specific cases, so they almost entirely rely on regulatory guidance.

Real data protection is not just about compliance. There are at least two other aspects to take into account, namely governance and risk management. These make up the governance, risk management and compliance (GRC) trio, which form a framework for a holistic approach to managing IT assets.

To make sure that a company’s entire surface is properly managed, it is important to treat data governance not as a standalone operation but as one of a set of important activities that complement each other.

As Arik Solomon, Cofounder and CEO of Cypago, explains: “Due to the overwhelming increase in the amount of data every organisation is creating and consuming, today’s business environment demands a robust and integrated approach to GRC management.” He adds that “effective GRC management requires a holistic approach that considers governance, risk and compliance as interconnected functions”.

The adoption of GRC has also inspired changes to corporate structures and operations. For example, chief information security officers (CISOs) used to mainly report to chief information officers (CIOs), but now they are interacting with various other department heads or sectors of their organisations. Their functions are reimagined as they try to co-ordinate their efforts to address emerging threats and more sophisticated attacks, underlining the need for comprehensive GRC management strategies that apply across departments.

Modifying an organisation’s culture is easier said than done. It takes some time to successfully reshape the way teams view security. However, here are some points to encourage change for the better.

Firstly, it is crucial to understand that regulations are not end goals. CISOs can aid culture change in the context of effective cyber compliance by adopting steps to integrate regulations as part of regular processes wherever applicable. Instead of undergoing periodic assessments, compliance should be achieved from the get-go. Compliance is not a “set it and forget it” affair, but an ongoing priority.

Secondly, it is important to highlight the benefits of change. As TrueFort’s Nik Hewitt notes: “The realisation that the security team is actually facilitating better working and improved productivity can be a major factor in greasing the wheels towards adoption – and can empower the added support of departmental heads in promoting best working practices for their teams.”

It is also necessary to point out the adverse consequences of lax security practices. Indeed, there are potential financial losses at stake when organisational cultures don’t evolve to become more effectively compliant, from regulatory penalties to the loss of customer trust. These are important details everyone in an organisation needs to understand.

Additionally, regular and ongoing training is a must. It is important to equip everyone with the knowledge and tools needed to seamlessly embrace a culture of meaningful cyber compliance. Training sessions also serve as opportunities to convey the benefits and challenges of going through culture change. Also, ongoing training is necessary because of the usually high turnover in roles relevant to compliance and the rapid evolution of both threats and compliance standards.

Moreover, it is vital to maintain detailed records and processes. Proper documentation and complete record-keeping are important to ensure accountability, accuracy and trackability.

Lastly, organisations should take on a continual improvement mindset. Progress tracking is necessary in overcoming the challenges of reshaping company culture. It is important to spot issues and resolve them promptly while staying vigilant to keep threats at bay.

Regulations help organisations operate according to standards, but their positive impact is unsustainable if an organisation’s culture is incompatible with the underlying purpose of cyber compliance. Organisations need to reform their fundamental internal policies, practices and processes to instil proper data management and security. Regulations are important in compliance, but they are not the end goal. Rather, they serve as guides in instituting a culture change that makes good policies, rules and procedures a part of core operations.