If organizations are complying with their regulatory obligations, why are they still being breached?
This obvious question exposes a paradox at the heart of everything we do in cybersecurity. It seems that the more we regulate, the more compliance requirements and frameworks we produce, and the more we nurture cybersecurity awareness, the more cyber incidents we face.
What’s going on? Where’s the cause and where’s the effect? Are these organizations really concerned with compliance, or have they slipped into complacency?
If some organizations are paying the price for their negligence, why should we even care? One hint comes from the International Monetary Fund (IMF). In its 2024 Global Financial Stability Report, the IMF expresses concern at the increased risk of extreme loss due to cybersecurity incidents and the potential impact on global financial stability [1]. In other words, as a maturing digital society, we cannot just ignore this problem.
Let’s explore the root causes behind this cyber compliance paradox and what contributions we, as cybersecurity professionals, can make to address it. Brace yourself, there are some harsh truths to confront as we work through this.
An abundance of compliance problems
We certainly cannot plead ignorance, since we know what our responsibilities are. We have frameworks, guidelines and regulations telling us the minimum security requirements we need to defend our resources. Yet here we are.
The plausible deniability defense does not fly.
How are our colleagues in other sectors of the economy doing? When we look to the wider economy, we find that they are also having difficulty aligning their compliance and safety obligations.
In aviation, for example, we have seen Boeing struggling to recover from highly publicized issues, underlining a mismatch between safety and quality obligations that has been driven by a focus on short-term profits. In the financial domain, compliance failures are hardly surprising, but several recent cases concerning financial auditors are more worrying and cast doubt on the trustworthiness of the whole system. Even areas with a strong tradition and history of safety regulation and enforcement, like fire safety, have their share of compliance failures, notably with the tragic case of the Grenfell Tower fire in London. [2]
So, it’s clearly not just cybersecurity suffering from compliance failures, though our failures are just as monumental. The US healthcare provider UnitedHealth fell victim to a major ransomware incident in the Spring of 2024. This brought down logistics and payments systems on a large scale with critical impact on human safety and wellbeing. “Patients are dying because of this,” a hospital administrator said. [3]
As we depend more and more on digital resources, the severity and impact of breaches increases. A study by The University of Minnesota found a nearly 21% increase in mortality for patients in one ransomware-stricken hospital. [4]
The key point is that as our digital society matures, as we benefit from its advantages and as our dependency on it increases, we need to acknowledge the criticality of securing these newly minted digital processes and resources.
The usual suspects
When we look for reasons to explain the gap that exists between compliance and security some topics are often highlighted:
- Skills shortages
- Geopolitical tensions and the rise of cybercriminals
- Technology advances and digitalization changes such as the Cloud, remote working, social networking, supply chain dependencies, AI tech and automation
These are all important, aggravating factors, but the root causes lie elsewhere. In fact, they lie much closer to home.
The harsh truth is that if you are breached, it’s on you. We need to accept that the cybersecurity failures due to noncompliance in our systems are largely our fault – the result of a failure on our part to adequately measure risk and to prioritize and resource our cybersecurity initiatives.
What are we doing wrong?
Structural issues
The Financial Times, in an article in early 2024, pointed out that shareholders are not holding organizational executives and boards accountable for their cybersecurity failings [5]. If you’re not held accountable for specific items, they will naturally slide down your priority list. Deprioritizing cybersecurity is the cue for the theatre of compliance to begin – send in the clowns. What should be robust compliance measures are often more like the façade or pantomime of security. Naturally, breaches run rampant. In fact, the IMF, in a dramatic understatement, suggests that private corporations may simply not care enough about safety and security [1].
The article goes on to indicate that these problems stem from cultural issues at the ownership and board levels. This may be true, especially if one refers to the cultural gap between Finance and Engineering functions. This kind of gap is what we’ve seen highlighted in the case of Boeing.
Whatever the cause of this mismatch, the consequences in terms of the lack of adequate resourcing given to cybersecurity initiatives are evident.
As cybersecurity professionals at the coal face, we have little influence on the structural issues facing the economy. However, we must be aware of them and appreciate that we will continue to be asked to do more with less.
Operational issues
Let’s turn to some root causes that are more directly within our control, where we can affect more immediate, positive change.
Break-fix mindset
Driven by the resource constraints we mentioned already, a lot of organizations naturally fall into a break-fix mode of operation. They find themselves waiting until they detect malicious activity and then address the consequences. Besides arriving after the fact, this approach is vulnerable to identity-based attacks that effectively fly under our protection radars using compromised credentials. They even often hide themselves away in pre-positioning attacks where they remain difficult to detect.
You don’t know what you’ve got
Many organizations lack visibility of systems and access across their environment, especially in older or unmaintained infrastructure, leaving them open to attacks and with no ability to measure the risk they incur. We know that breaches often occur when such systems are compromised, typically in combination with lax credential and access management.
Rubber stamping
Even when compliance processes are in place, they can often be purely a box-ticking exercise without any real engagement or attempt to measure the actual security outcomes.
Examples include mass certification of access with no real validation or closed loop remediation; incomplete or partial protections and backups; and documents with convincing titles pages that, in the end, are empty of real content or not maintained to align with the changing IT, attack and regulatory landscape.
Security silos
Fragmented organizational technology strategies leave gaps between security solutions and teams that malicious actors can exploit. To some extent, the SOC can compensate by centralizing signals, but this introduces a response latency and says little about what preventative policies and measures we need upstream, again reinforcing the break-fix cycle of behavior.
The solution? A preventative approach
These operational issues are difficult to solve, but they at least fall within our domain of control. What may surprise you, given the variety of challenges we’ve mentioned, is that there is one specific area that yields benefits across all these areas – Digital Identity.
Taking control of digital identities in your cybersecurity environment allows you to escape the ineffective detect-respond cycle and prevent malicious activity before it infiltrates your organization. Effective governance policies create digital bulkheads that make lateral movement harder for pre-positioned malware and thus limit the breach blast radius.
Properly managed organizational identities provide better visibility on cyber risk across your whole estate, especially when combined with ITDR technologies. This provides a better measure of our exposure in these systems and helps quantify the additional protection that the business obtains by buying additional security coverage.
The rubber-stamping problem in access governance is often driven by business and management staff who don’t really understand the access decisions or processes in which they are being asked to participate. They respond with an “approval-first” behavior that leads to over-provisioning of access. Centralizing access policy and identity controls means that enterprise and access context can be surfaced in a meaningful way to decision makers, allowing us to police and remediate the rubber-stamping problem. There are cultural issues to address here, but a business friendly UX, targeted AI driven identity insights and automatically generated identity KPIs drive more effective and meaningful compliance processes.
No one technology covers all cybersecurity needs, but factoring identity out of applications and systems and centralizing policy helps reduce inconsistencies due to the silo effect between technologies and teams. The more connected our identity technologies are in themselves, and to the wider security ecosystem, the less opportunity we leave for malicious actors to exploit gaps and oversights. A great way to ensure the identity ecosystem connects to wider cybersecurity is for identity architects and IAM leaders to participate in Zero Trust initiatives where they articulate the importance of Digital Identity to achieving Zero Trust goals.
In summary, identity solutions that centralize and automate identity management show significant return on investment because they influence positive outcomes across a variety of security activities and allow preventative and detective measures to work together for optimal results.
Conclusion
We need to acknowledge the true priority, value and cost of cybersecurity before we can reap the benefits from our digital society. A key part of that success will be a secure Digital Identity ecosystem that underpins the control measures and compliance enforcement needed to deliver the security and safety we all deserve.
Digital Identity security resides on well-known pillars of identity such as Identity Governance and Administration (IGA), Privileged Access Management (PAM), Access Management (AM) and the security of foundational directories like Active Directory (AD) and Entra ID. Taking a unified approach to identity security means we avoid the mistake of introducing yet more cybersecurity silos. In fact, a connected fabric of well-integrated identity services brings additional value such as behavior-driven governance, privileged access governance, Just in Time and least privilege access processes that all drive measurable compliance enforcement.
Although the end goal is a unified identity fabric, it is important that organizations can start with measures that address their specific, immediate concerns, expanding over time to cover all facets of identity. One Identity takes exactly this approach, partnering with organizations to trace a personalized and viable path to IAM maturity.
