Practical Strategies to Overcome Cyber Security Compliance Standards Fatigue

Additional resources

Developing a Cyber Strategy and the Seven Pillars of Cyber Resilience

An effective cybersecurity strategy that includes critical pillars of cyber resilience, such as embedding security into the design phase and prioritizing basic controls, can drive business success.

Cybersecurity Compliance Essentials: Balancing Technical and Non-Technical Skills

Technical acumen can be valuable in working toward cybersecurity compliance, but non-technical elements also play a significant role in achieving compliance.

Positioning DORA Compliance as a Strategic Advantage for Digital Trust and Operational Excellence

If approached properly, the Digital Operational Resilience Act (DORA) can be a strategic tool to help organizations solidify operational continuity and earn stakeholder trust.

Cybersecurity Awareness Resources

ISACA offers Information Cybersecurity resources across audit & assurance, governance, enterprise, information security, and risk topics.

A recent article lamented the confusion and efficiencies imposed on cyber security teams as a result of mushrooming complex and often redundant cyber security compliance frameworks. These growing pains were confirmed by CISOs at the World Economic Forum’s Annual Meeting on Cybersecurity in 2024, who stated that fragmented cyber security regulations across jurisdictions greatly impeded their organizations’ ability to maintain compliance.

In the next section, I explore some of the critical pain points organizations face in their quest to comply with a raft of cyber regulations and share actionable insights to alleviate their pain and lower cost of cyber security compliance.

Let’s start by exploring the three most pressing challenges cyber security teams face when attempting to comply with cyber security standards:

• Inconsistent Security Standards: The lack of uniform cyber security compliance frameworks creates inconsistencies on how organizations implement security measures. The extensive differences in scope, focus, and specific requirements increases cost and complexity of cyber security as teams invest considerable amount of money and time reconciling controls in their attempt to develop a cohesive security strategy that meets all relevant standards. As one global cyber leader bemoaned, “Complexity creates chaos, and chaos distracts from the tangible priorities of safeguarding any organization.”

Let me illustrate an identity and access management example:

• Access Control Models - ISO 27001 (Information Security Management Systems) vs. NIST Cybersecurity Framework (CSF):
  • ISO 27001: Recommends role-based access control (RBAC) but leaves the specifics to the organization.
  • NIST CSF: Emphasises the use of least privilege and mandatory access control (MAC) or discretionary access control (DAC) based on security policies.
  • Conflict: The flexibility in ISO 27001 can often leads to variations in how access control is implemented, while NIST CSF’s recommendation for specific control models (MAC or DAC) can impede the flexibility required to adjust controls to risk appetite and exposure.
• Evolving Regulations and Threat Landscape: The dynamic nature of cyber threats adds another layer of complexity to the regulatory environment. Cybersecurity frameworks are often outpaced by threat actors, who are constantly deploying novel and lethal tools that can easily circumvent archaic defenses. Attempting to keep up with the fluid threat landscape while ensuring compliance with existing regulations is daunting.
• Legal and Ethical Dilemmas: Conflicting regulations also give rise to legal and ethical dilemmas. For example, some countries mandate that certain types of data be stored and processed within national borders. However, this may conflict with other regulations that promote cross-border data flows and international collaboration. Organizations must navigate these complex legal landscapes and balance competing interests, which can lead to difficult ethical decisions and potential legal liabilities.

Overcoming cyber security compliance fatigue is certainly challenging, but it can be done. Here are three proven strategies cyber security teams can deploy to strike the right balance:

1. Develop an In-Depth Understanding of Each Framework

Organizations should understand core elements of each cyber security framework to determine which will best address compliance requirements while minimizing the cost of cyber security. Here are some top security frameworks, in no particular order:

• COBIT (Control Objectives for Information and Related Technology) – created by ISACA, the COBIT framework enables managers to bridge the gap between control requirements, technical issues and business risks.
• The NIST Framework for Improving Critical Infrastructure Cybersecurity – produced by the National Institute of Standards and Technology of the US Department of Commerce, this framework ‘enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.’
• The CIS (Center for Internet Security) Critical Security Controls – produced by SANS, these are ‘a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.’
• The ISO 27000 series – developed by the International Organization for Standardization (ISO), the ISO 27000 series enable organizations to implement processes and controls that support the principles of information security.

The suitability of a cyber security framework must be determined based on applicable laws, industry standards, organizational risk profile, business goals, and resource constraints. It goes without saying that organizations providing critical services to the USA federal government will pursue NIST compliance while Small and Medium-sized Enterprises (SMEs) may want to focus on CIS Top 20, given resource constraints. Once the cyber security team has selected the most suitable framework (or a blend of multiple relevant frameworks), they should seek endorsement from the executive team or cyber risk governance committee to ensure shared sense of purpose.

2. Map and Identify Framework Overlap

Mapping will enable organizations to identify overlapping controls to create a unified control set that addresses the requirements of multiple frameworks. This way, the organization can avoid redundant controls and processes, which in turn reduces cyber security team fatigue, accelerates innovation and lowers the cost of security. There are two steps to achieve this:

• Identify Uniform Requirements – Conduct an in-depth review of relevant frameworks (e.g., NIST, ISO 27001, CIS) to identify overlapping controls or synergies.
• Produce a Control Mapping Matrix – Create a structured mapping document that aligns controls from different frameworks, ensuring traceability and compliance consistency across regulatory and industry standards. A detailed mapping will also streamline processes, enabling you to simultaneously comply with multiple requirements and reduce the cost of assurance

Let me demonstrate through a practical example:

• Mapping access control requirements between ISO 27001 and NIST:

To minimize gaps, control mappings should be reviewed and updated at least once annually, or following major technology upgrades, changes to business direction, new threats or updated standards.

3. Further considerations

Here are five measures to minimize cyber security regulation overload:

1. Actively collaborate with the privacy and legal teams from the start to ensure that controls that underpin the license to operate and strict regulations are baked deeply into operational processes and are prioritized for implementation.
2. Prioritize automated controls to reduce human error, reduce audit cost and provide greater assurance to stakeholder.
3. Avoid cumbersome and unnecessary documentation, ensuring procedures are kept concise, current, and easily accessible.
4. Enlist suitably qualified and independent consultants to validate the design and operational effectiveness of key controls, and spot redundant implementations.
5. As the old adage goes, you can’t improve what you can’t measure. Establish a good set of forward-leaning and historical metrics to self-assess key controls and close key gaps.

Take a Balanced Approach

Cyber compliance standards play an integral role to ensure organizations prioritize the protection of consumer confidential and sensitive information above profits. But to reduce pressure on cyber teams already battling stress, cyber leaders must take a pragmatic approach that carefully balances compliance with innovation, agility and efficiency.