3 Reasons to Focus More on Cyber Resilience than Compliance

/in


To say our country is at war with cyber criminals is an understatement.

The onslaught of attacks is relentless, and the numbers are staggering. Last year, 800,944 cybercrime-related complaints – or nearly 2,200 per day – were reported to the FBI’s Internet Crime Complaint Center. While the number of complaints dipped by five percent, the dollar value of potential losses skyrocketed 48 percent to $10.2 billion. 

It seems that each day we hear or read about a new breach at some of our country’s most venerable private and public sector institutions. In mid-June, for example, Russia-linked criminals breached several federal agencies. Among those agencies was the Department of Energy, which oversees our country’s nuclear weapons – and whose cyber defenses were breached two years earlier. 

Recognizing that our country is in an unending war, lawmakers have proposed more funding for cybersecurity for fiscal year 2024, earmarking $13.5 billion for the Pentagon and another $12.7 billion for other agencies. The recommended funding package includes $3.1 billion for the Cybersecurity and Infrastructure Security Agency, which would represent a modest $145 million bump in the agency’s current budget. 

That is a positive step forward, but here is the problem: Our federal government has a long history of being obsessed with compliance-related rules and regulations. That mindset thwarts progress for a couple of reasons.

  • First, our adversaries do not have compliance standards to meet. They only care about winning each battle and causing maximum harm.
  • Second, a compliance mindset is reactive rather than proactive. With each successful breach, policymakers seek to “fix” the problem through improved compliance. It is a slow and ineffective approach because by the time new standards are approved and implemented, threat actors have found other ways to bypass the new safeguards. There is a long and growing list of organizations that met compliance standards, yet fell prey to criminals.
  • Compliance is the lowest rung on the cybersecurity ladder that also includes maturity and, at the top, effectiveness. The obsession with compliance has another negative consequence….

Source…