From scratch to compliance

By Nick Lyngaae Jørgensen

‍

Over the past 20 years in the industry, there have been incredible advancements in the field of security. Back in the day, when people asked what we did and we replied that we worked in IT, their faces would suddenly look bored in the blink of an eye.

If, after taking a moment to compose themselves, they let their good manners prevail and asked what field we were working in, and we replied, “security,” they were, despite their good manners, simply unable to muster any interest in the subject.

‍

Twenty years ago, almost no so-called “normal” people were interested in IT security, but fortunately that has changed since then. When we tell people today that we work in IT/information security, they are often interested (or at least not completely uninterested). They demonstrate a much higher level of understanding, ask questions that reflect this, and listen patiently to our pitch.

‍

As people began to realize the potential of the internet, they flocked to various websites—primarily those offering online shopping—and social media. However, many quickly learned the hard way that security is important—if your personal data is stolen, it can have extremely unpleasant consequences.

‍

Because of these and other factors, people have become more aware of the importance of security over the years. There is certainly still a long way to go before the average internet user stops using weak passwords and clicking on phishing emails, but in our experience, things are moving in the right direction.

‍

As for companies, things are also moving in the right direction in some cases, although, in our view, they sometimes fail to focus on what matters most.

‍

Over the past few years, we have seen how countries have suddenly realized the importance of maintaining security across the board. That is why our customers and other companies are subject to various requirements and standards—such as GDPR, NIS2, and DORA—that they must comply with. If they fail to do so—that is, if they are not “compliant”—they risk being penalized with fines.

‍

Furthermore, many of our clients are now finding that their customers are requiring them to hold certain certifications, such as ISO or ISAE.

‍

In many ways, this is a good thing. Compliance requirements help raise awareness among a company’s management and employees that certain things need to be protected, and we believe this awareness is the first step toward achieving a practical and sustainable level of security.

But compliance is not the same as security.

‍

"Well, yes," you might say, "but since our company makes sure to comply with the various compliance requirements, that surely also results in a higher level of security."

‍

We agree with this view, but there is one catch: the actual security benefits rarely justify the effort required to achieve compliance. Even full compliance does not necessarily equate to adequate security. So compliance can create a false sense of security.

‍

Problems arise when companies, having made significant efforts to meet and comply with various compliance requirements, believe they are well-equipped to withstand hacker attacks. In that case, many companies and their management will face two “gaps”: one between the demonstrably necessary level of security and the level of security they believe they have, and another between the latter and the level they actually have.

‍

Despite the measures mentioned above, there is still not enough focus on—or willingness to—address the first issue, and in many cases, there is not even an awareness that the second issue exists.

‍

Many companies have gone "from zero to compliance" and therefore believe they are secure, but have somewhat neglected security along the way. And this is a huge problem!

Companies aren’t hacked because they aren’t sufficiently compliant—they’re hacked because they aren’t sufficiently secure.

‍

It is our view that companies should focus on achieving a high level of security. This will naturally lead to a high level of compliance as well.
What’s more, this compliance is achieved organically and can be documented!

Now you’ve gone from zero to secure—and achieved compliance in the process.