Many organizations are steadfastly working to embrace the maturity of their cybersecurity posture, which has led to cybersecurity standards and regulations such as ISO 27001/27002, Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), and, more recently, the Cybersecurity Maturity Model Certification (CMMC) to instill baseline security controls and best practices in an attempt to level up an organization’s cybersecurity program through compliance.

Unfortunately, for some, the security processes and controls put into practice to meet compliance requirements may not be sufficient to address the dynamic nature of technology, continuously evolving threats, and specific risks to their organization. In addition to the stagnant nature of regulation, implementing a baseline of prescribed security controls and practices may lead to mediocrity by targeting the least common denominator of compliance. To ensure that a cybersecurity program can meet an organization’s specific needs today and into the future, a risk-based approach for managing cybersecurity should be leveraged.

The issue with a compliance-based approach to cybersecurity risk management, particularly for organizations with less mature cybersecurity programs, is that it doesn’t take into account the specific risks to an organization. When an organization gets too focused on ticking the compliance checkbox, it often loses sight of what it’s actually trying to accomplish. In these cases, it’s easy to end up with new tools intended to meet perceived deficiencies but operating in default configurations and not meeting the intent of the targeted security control.

A better method for building sustainable and resilient cybersecurity programs is to use a risk-based approach whereby organization-specific risks are evaluated to inform its cybersecurity capabilities. However, before an organization can right-size its cybersecurity program to ensure it is appropriately addressing risk, it must first survey its assets as aligned with its critical business processes to understand its risk profile. This initial step will allow leadership to document and evaluate the unique risks to the organization. Organization-wide risk registers should be used to capture the details of items that are material to the business, such as financial concerns associated with specific projects, environmental concerns of a new expansion, or specific regulatory requirements within their industry.

However, among all of these specific concerns, organizations must be mindful to define “cybersecurity risk” as more than a line item. For example, is the organization worried about a breach causing disclosure of sensitive information due to an unpatched server? Are they concerned about a compromised system causing service outages due to a technology misconfiguration? Are they apprehensive that their data could be tampered with and modified due to loose access controls? The goal of these probing questions is to get to the real concerns.

By thinking about what to protect—whether it’s the protection of data from disclosure, unavailability, or modification—an organization can begin to understand “why” they need to implement specific cybersecurity controls. The resulting risk profile should then be used as input to drive the development and maturity of aligned cybersecurity capabilities.

By using a risk-based approach, organizations can focus on why cybersecurity capabilities are important to help manage specific risks. Understanding the “why” for implementing controls will help focus not only on the checkbox of putting a new capability in place but also making sure that the new capability helps improve the cybersecurity program overall. By better understanding the “why,” organizations can ensure controls are implemented appropriately to meet defined goals to mature cybersecurity capabilities. This understanding then becomes the key driver for knowing how to implement cybersecurity standards and regulations versus implementations done in a vacuum.

Ultimately, every organization has different priorities, and what may be a minor concern for one may be a business driver for another. By understanding the specific cybersecurity risks, organizations can better understand how mature their capabilities need to be and what to prioritize to drive cybersecurity resilience, as well as compliance, into the organization.