You can be compliant without being secure or resilient to threats. Why does this matter and why do we need to take a more integrated approach to better prepare our business for what may happen? What is the difference between compliance and resilience? Let’s have a look at an example. 

I used to be a competitive power lifter. On competition day I had to ensure I followed the rules, and I complied with all the requirements, such as lift commands and using the right equipment, so that I didn’t get disqualified. As long as I showed up on the platform, completed my lifts on command and within the time limits, I was compliant. It was a moment in time assessment carried out against those criteria.  

What wasn’t assessed was the work and planning that went into my resilience. I would train for a competition but within this training were a lot of other factors. As well as training for my main lifts, I would also train the dependent muscles that supported those lifts. I would have to support those interdependencies through food, rest and sport massage. I had to know what would happen if something didn’t go to plan, so my energy was used focusing on recovery efforts. 

It is the same in business. When we are resilient, we plan and must understand not only the main critical business functions but also interdependencies. We stress test every function so that when something goes wrong, we can learn to respond faster and focus our efforts on what matters.  

Being compliant is more often than not, an audit carried out at a point in time to gain a certificate or prove adherence to regulations. There is a huge difference in being compliant and having an incident response plan, to actually investing in resource and time, testing that response plan and making sure everyone in the business fully understands their roles and responsibilities.  

Both can co-exist but if you are only focusing on compliance, you may be operating with a false sense of security. Planning and testing the resilience of your organisation will be the determining factor of how quickly you can recover from an attack. Resilience must be baked into your organisation and compliance activities tested frequently so that when you are faced with an attack you are ready to respond. 

Author

Dawn O'Connor

Dawn O’Connor

Dawn is a Co-Founder of Shift Key Cyber. She has 25 years’ experience in risk advisory. She is an ISO 27001 Lead Implementer, ISO 22301 Lead implementer she is also an IASME Certified Assessor. She is a member of the Chartered Institute of Information Security and British Computer Society.

Read more >

Related Posts

Don’t Sell, Serve
Don’t Sell, Serve
Gallery

Don’t Sell, Serve

March 27, 2025
Do Not Build Your Security On A Foundation Of Sand
Do Not Build Your Security On A Foundation Of Sand
Gallery

Do Not Build Your Security On A Foundation Of Sand

March 6, 2025
The difference between ISO 27001 and Cyber Essentials
The difference between ISO 27001 and Cyber Essentials
Gallery

The difference between ISO 27001 and Cyber Essentials

February 24, 2025
Cyber Security: Back To Basics
Cyber Security: Back To Basics
Gallery

Cyber Security: Back To Basics

February 13, 2025