Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them. At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.
After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.
Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels. “If you do something that upsets your customers from a privacy standpoint and then you tell them ‘Well I’ve done everything correct under the law’ will they be any more satisfied? Probably not. That’s privacy risk in a nutshell.”
When focusing on cybersecurity or data privacy, the key is to understand what your risks are. In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.
“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase. If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.