Cyber Threat INTELLIGENCE: A comprehensive cybersecurity program focuses on more than compliance.

• Author: Bolger, Patrick
• Position: A WORLD OF RISK

To truly protect their organizations, boards must use their oversight role to move the focus on cybersecurity past regulatory compliance and toward the goals of identifying threats before they happen and being able to respond quickly should an incident occur.

High-profile cyberattacks and increased consumer expectations regarding the protection of their information have resulted in corresponding cybersecurity-focused regulation across the globe. From rules proposed by the SEC to the upcoming European Cyber Resilience Act to China's Personal Information Protection Law, legislation created to tackle cybersecurity issues is growing. But organizations that prioritize compliance ahead of threat intelligence will continue to face significant cyber risk.

An increased focus on cybersecurity and the protections an organization has, or lacks, should lead to an improvement in resilience across the board. By forcing organizations to improve their cybersecurity programs and processes in order to be compliant, the collective bar will be raised. The importance of proper protections and incident response capabilities is apparent based on the global trend toward cybersecurity legislation, but how should organizations respond to the growing regulatory demands?

Simply put, compliance does not equal protection. Organizations that build their cybersecurity programs based on achieving compliance as a priority will remain at risk to cyberattacks and evolving threats. Further, threat actors are often sophisticated organizations that monitor regulatory compliance and actively prioritize vulnerabilities to their advantage. Instead, organizations should determine their cybersecurity program objectives from intelligence-driven cyber risk assessments, while adhering to compliance requirements.

A risk-based program will ensure relevant and appropriate protections are implemented, while also allowing for compliance to be met. Focusing solely on compliance can overlook the threat side of the equation. Boards of directors are familiar with managing risk, and mitigating or transferring risk is often a high priority. Cybersecurity risk is arguably the greatest risk facing boards today, both from an operational and reputational perspective, and the threat will not be properly managed through compliance alone.

A cybersecurity program should be rooted in a commitment to strategic communication, which accounts for key concerns around internal and external correspondence. An...