In today’s world, compliance is essential. Maintaining trust and growing a business's reputation is non-negotiable and inextricably linked to cyber security standards. However, compliance, in probably all of our experiences, is not the easiest program to build and maintain. As security leaders, we need to know how to adhere to an expanding array of regulations, laws, and standards—most of which feel incongruous. This complexity makes achieving, maintaining, and proving compliance feel like a burden.
At Cloudflare, we dedicate significant resources to understanding compliance requirements, implementing the right security processes and controls, monitoring changes in our environment, and conducting assessments that demonstrate our compliance. At an earlier point in my career, I would have seen such effort as a tax. However, after 20 years in cyber security, I’ve finally come to stop worrying and learn to love compliance because of what it lets us accomplish as a community, not what it takes away.
Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb
The longstanding failure to grasp the magnitude of the cyber security threat has led to a world that has normalized dependence on fundamentally unsafe technologies. Speed and cost for too long outweighed the values of security and privacy. This has been a failure of policy, a failure of management, a failure of capability, and above all a failure of imagination.
Within the Department of Defense and at the National Security Agency, we focused a lot on the “mission,” which to many is an outcomes-based approach to solving critical problems. It wrongly implies a disregard for compliance in favor of an all-out assault. In my experience, that was never the case. Outcomes and compliance were always parallel tracks that lead to operational risk reduction, as well as better thinking and more creativity.
We cyber security leaders have a responsibility to align policy and strategy as the foundational starting point for enhancing security, building confidence, and forging new relationships. If we take this approach, we can apply mission-oriented solutions to the problems of protecting user data, securing intellectual property, avoiding financial theft, and in some cases preempting physical damages.
It’s hard to build trust and easy to lose it. Failing to comply with regulations could mean fines, sure, but also the loss of trust and confidence of customers and partners.
We all know that compliance requirements often create box-checking exercises instead of operational risk reduction. For this reason, I see the practice of cyber security within highly regulated—and highly targeted—fields such as healthcare, financial services, and national security as a strong blueprint for all of us. In these fields, organizations do more than checking boxes: they voluntarily hold themselves to even higher standards than regulations require.
Our security work begins when we meet standards. As a tool, compliance allows us to express our work, look around and see who we can trust, and begin to tackle the hard work of eliminating threats. We often hear that a SOC report or ISO certification should stop breaches, but breaches still happen. Why? The answer is that compliance with frameworks and standards is just a way for us to recognize when something is amiss sooner. It'll never be a way for companies or teams to prevent incidents and exposure. That requires an even more comprehensive approach to cyber security, one based in technical controls.
At Cloudflare, we comply with key regulations and standards, and we have earned a number of important certifications. We’re embracing compliance for the opportunities it can create. But we’re not stopping there. We’re staying focused on our mission to build a better, more secure Internet. We ’re moving beyond compliance by implementing advanced security capabilities that will keep our business, our partners, and our customers safe. Cloudflare was built to help you and your customers be more secure on the Internet. Learn about the certifications that help us preserve that security.
After reading this article you will be able to understand:
How to view compliance as an enabler and not a burden
Frameworks and standards will never eliminate incidents or exposure
Implementing advanced security beyond basic compliance will keep business, partners, and customers safe