But Cybersecurity Experts Are Needed More Than Ever.
The responsibility for cybersecurity has traditionally been shared between compliance and IT departments. But what happens when the functions of those two departments converge?
This is an issue many companies are currently facing. Compliance and IT are overlapping as company structures adapt to cloud computing, the work-from-anywhere transition, and modern technical infrastructure. The compliance elements of employee behavior and the IT elements of physical device and computing infrastructure — now residing more than even in the cloud — are increasingly intertwined.
This transition threatens to put cybersecurity in an ambiguous and precarious place for one of the most mission-critical elements of a company’s operations. The danger is that critical cybersecurity efforts will get lost in the shuﬄe.
So how do companies combat this? As compliance and IT converge, how do companies maintain an unwavering focus on the most important aspects of cybersecurity?
Leave it to the pros
It’s going to take collaboration between compliance, IT and cybersecurity pros to cover all the cybersecurity bases. But cybersecurity pros should be leading the charge in critical cybersecurity efforts. Just like you wouldn’t put IT in charge of running compliance or compliance professionals in a leadership position for technical IT issues, cybersecurity should require the same attention and care. Cybersecurity is increasingly complex and evolving at a rapid pace. Having dedicated cybersecurity professionals in place at the highest levels, dictating best practices and keeping pace with evolving cyber trends and threats, is going to be non-negotiable in the future.
The point is to increase a ﬁrm’s cybersecurity posture in such a way that cybersecurity risk is meaningfully reduced and attacks are either prevented or detected and mitigated at lightning speed before any damage is done. This cannot be accomplished by the split-focus of compliance-IT leading the cybersecurity charge.
Collaboration is a two-way street
Compliance and cybersecurity need to talk to each other at the highest levels.
Do the security analysts, forensic professionals, and threat hunters need to expand the scope of their work to include compliance professionals? Absolutely. Compliance professionals will be critical in documenting risk assessments, articulating cybersecurity risk, helping with public disclosures around cybersecurity incidents, and many other things. But to expect that an outsourced comprehensive compliance company is going to have someone on staff that sees an alert come in and 2:37 am on a New Year’s Day which indicates a ﬁrm’s server is communicating with a known threat actor’s command and control server and respond to that alert in real time just isn’t reasonable.
These pros need to up their game and be more aware of the compliance requirements so that they can contribute to meeting all compliance requirements. But they need to lead the technical,
on-the-ground, tactical efforts to keep a company’s data and networks secure and safeguarded.
Evolve and adapt
The changes in compliance and IT have been dramatic. But the changes in cybersecurity come at a company every day, sometimes every hour. Evolving, adapting and keeping pace is a full-time job. Threat actors are constantly probing vulnerabilities, concocting new methods of inﬁltration and using new techniques to exploit weaknesses. Hypervigilance, experience, up-to-the-minute knowledge of emerging cybersecurity trends — these all come from having a dedicated team whose sole focus is cybersecurity. Cybersecurity should never be an afterthought, a function lost between two converging departments. Now more than ever, cybersecurity deserves a company’s complete and undivided focus.