A common factor across many recent security breaches is that the targeted enterprise was compliant, meaning they passed their Payment Card Industry (PCI) audit yet customer data was still compromised. Simply being compliant is not enough to mitigate probable attacks and protect critical information. In today’s constantly evolving threat landscape, organizations need to focus on securing the business first and documenting the process to show compliance second, not the other way around. While there’s no silver bullet, organizations can reduce chances of compromise by moving from a compliance-driven to a risk management approach to security.
In 2008, the SANS Institute, a research and education organization for security professionals, developed the Top 20 Critical Security Controls (CSCs) to address the need for a risk-based approach to security. Prior to this, security standards and requirements frameworks were predominantly compliance-based, with little relevance to the real-world threats they are intended to address. The Controls are prioritized to help organizations focus security efforts to have the greatest impact in improving their risk posture. In 2013, the stewardship of the Controls was transferred to the Council on CyberSecurity, an independent, global non-profit entity.