Page 14 - index
P. 14
outscoring their opponents through pure offensive dominance. Fans whose teams run hurry-up
offenses love the games they win and are miserable during the games they lose.
When your offense scores 65 points a game and your defense gives up 66 points a game, you
always lose. The loss almost always seems inevitably scripted with a rough ending.
The approach to cyber is similar in the sense that the world’s most powerful nations have been
running hurry-up offenses against each other for years with little focus on defense. This run-and-
gun digital arms race has resulted in an unbalanced scenario where the game clock never stops
and the defense never has time to catch their wind.
The focus on offense advances so quickly that collateral damage inflicted on your own team is an
expected outcome of a good game.
Cyber attacks have had some benefits though, albeit very few up until more recently when
compliance penalties caused financial impact. Without the financial penalties associated with
breaches, there’s little to no incentive for spending on security and an even lower threshold for
reporting on what happens when companies get breached.
Our response when compliance is inadequate? Apply more compliance of course.
Hyper-Compliance Bridges the Gap
Hyper-compliance is a relatively new term applied to an era that we’ve just begun to embark upon.
This era is characterized by the fast-paced acceleration of pressure on businesses to secure data
by both regulators and customers to the point where people become so overwhelmed with how to
respond that they lose focus on why they are responding. It’s part frustration and part confusion.
For example, what regulations apply to our company now? What regulation trumps the other? Who
is more important, PCI-DSS or GLBA? The list of questions goes on in an infinite loop.
The era we’re facing is less about major rewrites of compliance frameworks and more about rapid
enforcement and change to how companies approach IT security. Regulations that were once
avoidable and unenforceable will now be mandatory and applied more liberally than in the past.
The business-to-business risk evaluation process that companies didn’t have to address in the past
will be implemented in contract vehicles and new service agreements in the future. Again, view this
as positive but painful change.
The list of changes over the horizon goes on and on, most for the better and some for the worse.
Albeit painful at times, this type of vigilant compliance with an increased focus on security will help
bridge the gap between people’s understanding of what being compliant versus what being secure
means.
14 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
