The document discusses the limitations of compliance in cybersecurity, emphasizing that compliance does not ensure true security and may create a false sense of safety. Experts argue for a shift towards robust risk management and suggest organizations develop threat-based security programs rather than relying solely on standards. It highlights the importance of ongoing security efforts and clear communication to bridge the gap between compliance and effective cybersecurity practices.

1. Mind the Cybersecurity Gap –
Why Compliance Isn't Enough
Experts with insight into managing security and
compliance programs shared their experience with
Tripwire, read some of their thoughts here

2. What are the limitations
of compliance when it
comes to cybersecurity?

3. Compliance does not equal
security. Security does not
equal secure.
Stuart Coulson | Manager
of Business Engagement

4. Compliance is transient
comfort. Robust risk
management is persistent, but
better informed, discomfort.
The latter should be preferable.
Sarah Clarke | Security
Governance, Risk,
Compliance Specialist

5. Compliance can drive a
culture of checking the box
to deliver the bare minimum,
and this is wrong on so many
levels when it comes to
cybersecurity.
Christian Toon | CISO

6. Angus Macrae | Head of
Cybersecurity
The limitations are that the cyber
world outside of compliance still
moves very quickly, and simply
being certified with a particular
standard does not and cannot
necessarily mean that you are in all
ways “cyber secure.”

7. Being compliant limits your
approach to security to the narrow
confines of the standard you are
using. Like looking through ‘rose-
tinted-glasses,’ everything will
appear okay because that is the
lens you are using.
Gary Hibberd | Professor of
Communicating Cyber

8. Compliance demonstrates a
minimum standard to
compliance, while security shows
the process of implementing
controls for compliance and
perhaps even a step beyond the
level set by the standards.
However, “secure” means being
able to mitigate attacks.
Stuart Coulson | Manager
of Business Engagement

9. The disconnect between the
compliance line and a robust
threat and risk assessment can
result in significant levels of
misinformed spending.
Sarah Clarke | Security
Governance, Risk,
Compliance Specialist

10. What should organizations
consider to close the gap
between compliance and
security?

11. Christian Toon | CISO
You can’t wait for authoritative
bodies to update legislation,
standards, or frameworks to tell
you what to do. Create a security
program that operates threat
based controls.

12. Nothing will get done if senior
stakeholders are not getting
clear and concise information
on the scale and nature of
required work.
Sarah Clarke | Security
Governance, Risk,
Compliance Specialist

13. Being compliant is a
‘point-in-time’ evaluation,
but being secure is
ongoing and enduring.
Gary Hibberd | Professor of
Communicating Cyber

14. Compliance comes with a
cost, so ensure you
emphasize return on
investment.
Stuart Coulson | Manager
of Business Engagement

15. The drivers of the gap
between security and
compliance
The challenges of achieving
both security and compliance
How organizations can
overcome these challenges
https://www.tripwire.com/solutions/compliance-
solutions/mind-the-cybersecurity-compliance-gap
Download your copy of the white paper and discover: