As new mandates come online, most firms need to ensure IT systems meet changing regulations. But is compliance stealing resources from cybersecurity efforts?
Four out of five firms are more worried about compliance than they were five years ago, according to recent research from Hornetsecurity. In more than half (57%) of organisations, the IT department bears the load of compliance assurance, the study reveals.
And, in the majority of cases, compliance overload has a significant impact on the IT function’s ability to do its job, As a result, 13% of firms are unable to state whether they are fully compliant.
“Compliance is a heavy burden for many organisations because it requires a high level of operational maturity to handle effectively,” says Daniel Hofmann, CEO of Hornetsecurity.
“There are processes, organisational and technical components. A given organisation may be beholden to multiple regulatory frameworks and governing bodies – each with its own ever-changing rules and requirements. On top of that, amidst the chaos of getting these controls into place, many organisations struggle to keep up with changing regulations.”
In many cases, this is complicated by the fact that different people within the organisation are responsible to various regulators.
“GDPR, for example, falls under the data protection officer’s remit, PCI or the Digital Operational Resilience Act (DORA) regulation might fall on business application owners, while NIS2 may come under an organisation’s CIO or CISO remit,” says Romain Deslorieux, director strategic partnerships for cloud protection at Thales.
This stretches resources, so the trick is to find some commonality. There are similar actions demanded by most regulations, says Deslorieux, such as “assessment, records of workloads and processing, protection of data, – and improving the amount of internal communication that’s taking place.”
He adds: “Many regulations have four main objectives in common: define the scope of responsibilities regulated; mandate to run a risk assessment in relation to that scope; list technical and organisational measures required to mitigate the risks; and list obligations towards supervisory authorities, such as reporting and penalties.”
Source: SC Media