Why Are Cybersecurity Pros Struggling With Compliance?
Table Of Contents:
Regulatory compliance is a growing priority for cybersecurity teams, as they face mounting cybersecurity risks, increase their use of technology, and struggle to navigate a fast-evolving legislative landscape. Failure to adhere to the regulations enshrined in laws like the UK Data Protection Act 2018 and EU AI Act means could lead to significant fines. But with cybersecurity teams already overstretched and under pressure from senior management, it’s far from straightforward.
This is where industry standards can play an outsized role in helping streamline regulatory compliance.
Compliance Isn’t Easy
Compliance is a growing challenge for many cybersecurity professionals. In a recent survey of 200 technology decision-makers conducted by Infosecurity Europe, nearly half (44%) admit they are struggling to comply with cybersecurity legislation because it’s too difficult to understand and too time-consuming to implement.
It reveals that, out of 12 existing and emerging cybersecurity regulations, the US Sarbanes-Oxley Act (SOX) is among the most complicated to implement. In fact, 41% of respondents described it as “very complex”. Meanwhile, 75% of cybersecurity professionals believe that the UK Data Protection Act, EU Cybersecurity Act and NIS/NIS2 are “somewhat complex” to comply with.
Elsewhere in this study, 24% of respondents say the EU Cybersecurity Act and the Data Security and Protection Toolkit (DSPT) are the most relevant regulations for their organisations, followed by the UK Data Protection Act (22%). Alarmingly, only 50% of organisations are fully compliant with SOX and the EU Cybersecurity Act, illustrating the challenges facing cybersecurity and compliance teams amidst a fast-evolving regulatory landscape.
These issues are also highlighted in ISMS.online’s The State of Information Security 2024 report, which ranks compliance with regulations and standards as the second biggest challenge faced by cybersecurity teams (33%). In another key finding from the report, nearly half (46%) of respondents say that complying with ISO 27001 can last anywhere from six to 12 months. An additional 11% would require 12-18 months to achieve this goal, stretching to over a year-and-a-half for 5% of respondents.
The Burden Grows
One of the main reasons cybersecurity teams find compliance so hard is the growing scale and complexity of industry regulations, according to Richard Breavington, a partner at law firm RPC.
“The sheer amount of legislation that could affect organisations, coupled with the fact that they are changing and being updated rapidly, means it can be a challenge to ensure compliance,” he tells ISMS.online. “In addition, these regulations require different technical and organisational standards that are not necessarily uniform.”
Steven Wood, director of solution consulting at IT security firm OpenText Cybersecurity, blames this compliance headache partly on unauthorised use of consumer technology, unexpected mergers, under-investment, and the constant pressure to stay ahead of the competition.
“As the threat landscape continues to evolve, security teams face the challenge of securing dynamic IT environments while adhering to stringent compliance requirements,” he tells ISMS.online. “Additionally, evolving threats like phishing, supply chain exploits, insider threats, and zero-day vulnerabilities necessitate a multifaceted approach to cybersecurity.”
Sean Wright, application security lead at Featurespace, suggests that the growing cybersecurity skills gap – a leading challenge identified by 31% of respondents in the ISMS.online study – means many organisations simply don’t have the resources to comply with new and emerging regulations.
He tells ISMS.online that compliance is rarely a “one-off” exercise for businesses – instead requiring the continuous attention of cybersecurity teams. He adds that constant changes to existing laws – alongside the introduction of new regulations – increase the burden and workload on stretched cybersecurity teams, making it easier for them to miss or overlook key details.
Streamlining Compliance
RPC’s Breavington believes that organisations could streamline the process by delegating the creation and implementation of a “meaningful compliance plan” to a dedicated team of specially trained professionals.
These experts would take the lead on identifying relevant regulations, understanding key legal requirements and ensuring their organisation is fully compliant, he says.
“To the extent possible, it is worth trying to find consistent technical standards that will allow compliance across the board, even if that means potentially going above and beyond what is needed for some of the regulations,” he argues.
Educating employees on the latest information security, social engineering and compliance trends can also help organisations better comply with cybersecurity regulations and protect their reputations, argues OpenText Cybersecurity’s Wood.
“Comprehensive employee education programs are vital to prevent human vulnerabilities from being exploited,” he says.
Featurespace’s Wright urges cybersecurity teams to implement “robust” and “repeatable” processes to fulfil ongoing regulatory obligations. He also encourages them to automate “repeatable items” so that these commitments don’t drain crucial cybersecurity resources.
Companies can increase the effectiveness of their cybersecurity compliance programmes by ensuring every team member understands the importance of these regulations, he continues. This will ensure compliance “doesn’t just become a security team effort but a company-wide effort”.
The Importance of ISO 27001
By implementing a globally recognised industry standard such as ISO 27007, organisations can develop the best practices needed to improve their cybersecurity posture and ultimately satisfy regulators’ requirements.
RPC’s Breavington explains that these accreditations are simple to update and will demonstrate an organisation’s ongoing commitment to regulatory compliance. He suggests this is a more effective approach than “keeping track of the multiple and potentially less specific legal and regulatory requirements”.
Wright also sees the value in following ISO 27007, believing that it’ll allow organisations to improve customers’ confidence in their approach to cybersecurity and compliance. He adds that technical solutions like an information security management system (ISMS) would enable them to streamline and meet some compliance requirements – and in so doing, “free-up resources” across burnt-out and overworked cybersecurity teams.
Given the potential financial and reputational repercussions, non-compliance with industry regulations isn’t an option. But with the help of user awareness programmes, industry best practices and the latest automated cybersecurity tools, there is at least a way for organisations to reduce the burden.
