On the panel with Jack:
>>Paul de Luca, Head of Cyber Risk at HPEWatch the panel discussion on compliance vs. risk-based cybersecurity now.
A FAIR Institute Contributing Membership is required to view. Join now!
Laura set some useful terms for the discussion:
“We should not forget the original intent of compliance-based regimes, basically because they generally yield a good, reasonable baseline for security. The problem arises when checklist-based compliance becomes the goal on its own. The incentive is to check a box rather than understand the intent which is to reduce risk.”
Here are more of the tips, insights and frustrations voiced:
Laura: “It’s all about prioritization. You can’t put out all the fires, you have to be able to focus your efforts and your budget to what matters most. “
Laura: It takes time, patience, and a lot of effort, knocking on every door in creating a risk-engaged culture, people understanding that there is no perfect protection and be OK with that, and stand behind a decision that this the most important control to prioritize and move forward.”
Paul: “I don’t think compliance is ever going to go away, particularly on the legal and regulatory front. I never thought I’d say this, but I welcome the fact that there is compliance because if nothing else it puts some guardrails up for you. It can always get better, with more clarity but I think we are the folk that need to change. Expecting others to change isn’t going to work.”
More from the FAIR Institute’s London Summit:
Richemont’s New Approach to Cyber Risk Management: Defend the Value Chain with FAIR