This report is a useful and important read. #infosec #Compliance
corporatecomplianceinsights.com/2020-cyber-rep…
(Thread follows)...

Glad to see the two numbers bear out the problem I have called out over time

I wish the survey had asked how much of a decrease we would see in the 40% and 58% numbers if we got rid of compliance overheads that are not truly #regulatory #compliance obligations

I think the solution to the problem may well lie in security leaders pushing back on "self-imposed" or "quasi-compliance" burdens. (One can identify a sample of these on the chart) 

Let me explain a bit...

Most if not all #infosec #regulations are focused on #foundational security #hygiene that one should be operationalizing anyway

If we have operationalized a risk-relevant security program and are able to measure and manage our security posture constantly, regulatory compliance should really be a "natural demonstration" and not an unnecessary overhead

In my view and experience, the problems illustrated by the two numbers are mostly self-imposed (quasi-compliance) by way of internal and external compliance overheads. Two examples follow...

Example 1 -
Internal audits or assessments that use processes and template security controls frameworks that are not truly and entirely focused on contextual security risks

Example 2 -
Annual attestations or certification obligations that customer organizations have come to expect or mandate of their service providers or vendors

As for the second example, these mandates are usuallly too burdensome for what they try to accomplish and still don't usually provide adequate assurance around day-to-day security risk management operations

I'll suggest an alternative approach to assurance in third-party-risk-management (of service providers and vendors) in an upcoming blog post #TPRM

I'll end by saying that the infosec profession will be well served to avoid or actively resist self-imposed quasi-compliance burdens.
/end