The cliché “being compliant doesn’t mean you are secure” is repeated in countless articles, blogs, and interviews but it’s rarely followed by any useful advice. There is tangible benefits to being compliant with relevant cyber security requirements like NIST 800-171, PCI-DSS, ISO, HIPAA and many others. Each one represents an opportunity to do more than just achieving compliance.
Compliance should be at the foundation of your cyber security program because it’s easy to explain and measure. The same can’t be said for malware, advanced persistent threats, digital forensics, or how the security information and event management platform works. Too often security teams are mired in explaining the highly technical operational elements of their program to a non-technical audience of executives and rarely is the audience more enlightened at the end of the briefing. Compliance on the other hand could be understood by any business and executives with little explanation. Leverage that understanding to win support for the program that you are building. Here is how: