I think about the various situations in life where the old adage the “carrot and stick” or alternatively, reward versus punishment, might apply. My family and I recently acquired a new puppy and reading the obligatory “how to train your dog” manual, the general consensus/advice from dog experts seems to be; applauding good behavior is much better than punishing bad behavior.
Let’s face it, like my puppy, no-one wants the “stick” to be used. By nature, the “stick” method can create a feeling of resentment toward the holder of that “stick” and tends to make you want to “just do enough” so you don’t get in trouble.
Where-as the “carrot” method, does not include the threat of physical violence, so everyone is generally more at ease. Plus, there is the potential of an upside. If I achieve the required level, I get a carrot, but what happens if I over-achieve? Even more carrots? Or maybe a mixed vegetable tray?
In recently years in response to the increasing rate at which organizations are being breached, we’ve also seen an increased response from local law-makers and regulatory bodies to bring in compliance mandates. Things like SOX, PCI, GDPR etc., which force organizations to comply to a set of various security controls and practices.
At face value, these regulations are all very useful in helping to improve the general security posture of an organization, but like the “stick” method, there is a chance they will focus most of their effort on compliance, because this can sometimes be a very onerous task. This means they won’t dedicate enough time on actually evaluating what Cybersecurity Risks their business is currently be exposed to.
A Security Strategy which is focused on Risks rather than Compliance provides a more “carrot” like approach. You are less likely to stop once you’ve reached the mandated level of compliance because you know there is more upside. You will continue to evaluate where you are most at risk and continue to put measures in place to mitigate, or at least reduce the chance of getting breached and winding up in the newspapers.
A Risk Based Strategy is not only a more practical approach to Cybersecurity, but there are some indications that organized cybercriminals are starting to target organizations who are just focusing on Compliance. i.e they also understand where the current Regulations force good security controls, so they will just focus their attacks outside of these areas.