Recently, RiskRecon and the Cyentia Institute launched a research report called, The State of Noncompliance in Cyber Risk, which aimed to understand which regulations related to third-party risk management are the toughest for firms to meet, and what parts of these standards are causing the most issues as seen by the RiskRecon platform. This will be the last blog in our series, but we invite you to go back and review the other pieces at any time.
In this blog we look at the most common security issues causing noncompliance, examine which industries are struggling most with compliance mandates, and provide final thoughts on our research.
The security findings discovered in RiskRecon assessments consist of checks of across 40 discrete security criteria that are then grouped into nine generalized security domains. For example, a test of a security control, like the use of HTTP security headers, is a security criteria check. That criterion falls into the overarching security domain of Web Application security, which also includes other criteria, including CMS access control.
In this report, we mapped 20 security criteria and seven domains back to the compliance standards examined, these include:
Combining our views of common issues across domains and criteria, it's clear how much variability there is amongst all these categories and subcategories.
-png.png)
One of the questions we hope we could answer with this analysis is: what industries struggle most with compliance standards?
Interestingly, when we break our sample up by industry and look at the distribution of noncompliant requirements per organization, the median pattern doesn't vary a great deal across industries. ISO is the most challenging, while NIST CSF is the most compliant.
The box plots show signs of the predictable pattern of Education being the most challenged and Finance emerging as the least challenged. This is a trend we’ve seen in the past (see previous work such as The Value of Better Data in Third-Party Risk Assessment). However, a better assessment of how well industries are doing is one viewed in light of finding density—as a review, that’s the number of compliance findings on high value hosts divided by the total number of high value hosts at organizations.
The industries that need the most work across all standards are: Construction, Public Administration, and Real Estate.
Conclusion
Organizations across all industries are tasked with keeping their clients, as well as their own information safe. While compliance does not guarantee security, working to meet compliance standards is a way for many companies to build various security practices into various parts of their organization and business. Cybersecurity regulations and frameworks, authored by a bevy of government and industry oversight groups, can provide a barometer for baseline security best practices. Regardless of whether the standards are coming from the PCI Council, NIST, ISO, or CIS, they can offer a reference point for organizations can use to chart their security risk posture journey. Even so, almost every single organization has some form of noncompliance.
Throughout this report, we have worked to unpack and understand the risk associated with noncompliance. We found that when an organization's host is in the cloud, that they are also significantly less likely to have compliance issues than organizations with on-premise hosts. When we took a look at noncompliance and how it related to “actual” risk, we looked through our finding density lens to examine the results. We found that finding density increases with an increase in the percentage of noncompliant items within an organization. Even through an industry lens, we didn’t see a difference in the median of noncompliant requirements - consistently ISO is the most challenging to meet, while NIST CSF is the most compliant.
So, what does this mean for organizations looking towards compliance as a measure of security? We know, and understand, that checkbox compliance isn’t a path leading to a robust risk management posture. However, we can clearly see that noncompliance does increase the finding density within organizations. While they are not a silver bullet for a risk-free security program, compliance standards - and working to achieve them - do help to minimize the amount of important findings found on high value assets that an organization has.
This is just the beginning of working to understand the relationship between risk posture and noncompliance. The more that continues to be shared across and between organizations and industries, the more likely we will be able to continue to draw correlations and conclusions about the relationship between compliance and risk.
