Compliance alone isn’t enough to protect your business

Chris Melli

security badge icon


When your business sets out to achieve a compliance standard — such as PCI DSS, GDPR, CCPA or HIPAA — you’re taking an important step toward protecting your business. The compliance process will require you to address key controls around firewalls, passwords, encryption, malware, access, etc., and implement security best practices. These are all important elements to a security program.

But, unfortunately, compliance alone isn’t enough to protect your business from today’s rapidly evolving cybersecurity landscape.

Compliance standards are typically designed for a unique and specific purpose. For example, PCI DSS was created to enhance cardholder data security and protect account data. But because it’s limited to a specific scope boundary or ‘enclave,’ it may not protect all key assets, systems and functions critical to your organization (outside of that enclave). Even within the boundary itself, it’s likely you may still need to implement more pervasive controls to better secure the overall environment in which it operates.

Other regulatory compliance programs also have a similarly limited design. GDPR focuses on broad digital privacy protections. CCPA focuses on data privacy rights. HIPAA is designed to protect health data. And SOX was created after major corporate scandals, to certify the accuracy of financial statements.

These standards, as well as others, certainly address the goals of the compliance initiative they were built for. And they reach numerous critical control families and encourage many best practices. But they’re not designed to be the foundation of your cybersecurity program. So what should you do?


Integrate your compliance program into a risk-based framework

By all means, implement regulatory compliance standards when they’re:

  • Required by your organization and/or industry
  • Defined contractually
  • Expected to encourage business growth
  • Or needed to support other business or legal functions


But at the same time, seek to stack required compliance programs with an overarching risk-based framework that can be used as a more solid, cybersecurity foundation.  

A risk-based framework centers on understanding and responding to factors that can lead to confidentiality, integrity and availability failures. And it starts with controls that secure your organization from present or perceived risk scenarios.

You can use a risk-based framework to build or improve upon your cybersecurity program — by focusing the design and implementation of controls, technology and associated investment based on risk to your organization.

Applying a risk-based framework will help you create a more secure overall environment than compliance alone. It can also help you stay more current and relevant within a rapidly evolving security landscape, since you can modify controls more freely based on actual risks important to your organization.

Oftentimes regulations are not updated quickly enough to provide you with ample security assurance, so stacking required compliance programs with a more thorough, risk-based framework is a much more optimal route to follow.


Benefits of a risk-based framework approach

By applying a risk-based framework approach, you can:

  • Protect your most critical assessments thoroughly
  • Customize controls according to your specific security and organizational needs
  • Take a more proactive stance on security
  • Encourage a resilient culture
  • Improve your regulatory compliance posture organically

A risk-based approach to cybersecurity delivers all of these benefits and more, based on its fundamental and pragmatic design. By understanding what the most critical assets are first, and then responding to real-world risk scenarios that may impact those critical assets, your organization can get on the right path towards proactive security that minimizes your threat landscape.

By encouraging employees to work with risk team members and share actual threats (paired with a risk team proactively hunting for threats), your company culture becomes more resilient to changes in the external environment. This in itself will also help to improve control posture organically, which also supports downstream regulatory compliance maturity at the same time.


What are some risk-based frameworks to consider?

To most effectively manage your cybersecurity program, implement a risk-based framework that also helps you maintain compliance, where applicable. The two most well-recognized frameworks include:


  • The International Organization for Standardization / International Electrotechnical Commission (ISO 27001) is an internationally recognized standard that provides a risk-based framework for Information Security Management Systems (ISMS). It’s designed to help ensure continued confidentiality, integrity and availability of information, and it can be used by organizations of any kind that need to manage asset security. You can also be certified within this framework and achieve various business benefits by doing so, such as maintaining current business, winning new deals and improving overall security posture.


  • The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing standards across all federal agencies. Specifically, NIST Special Publication 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems.

    Although NIST was established to provide guidance for the protection of agencies’ and citizen’s private data, this risk-based framework applies to a broad base of public and private sector organizations. For that reason, private sector businesses can and have chosen to implement this framework, or parts of it, within the formation of their own cybersecurity programs as its widely accepted as a gold industry standard. The overall design of NIST 800-53 is enterprise focused, meaning the controls are not as boundary specific as other regulatory compliance programs. 


Cloud security management with Rackspace Technology

When it comes to cloud security management, you don’t have to go it alone. Rackspace Technology can partner with you to address every element of your security journey and take the weight off of your in-house team so they can focus on more strategic initiatives.

Through our experience across thousands of clients and our extensive partner ecosystem, we can help you define and implement a cloud security strategy designed to keep your business safe.

Do you know your current cybersecurity risk score? Take our 15-question self-assessment today. Then take advantage of a professional consultation with one of our cloud experts who will review your results and offer best-practice recommendations on how to address any identified security gaps.


Discover your cybersecurity risk score.