Today’s chief information security officer (CISO) is often judged by how well the organization adheres to compliance regulations. But when organizations focus solely on compliance, they are missing important cybersecurity practices and are essentially handing their security playbooks to attackers.
This is because most organizations follow a specific set of industry-specific compliance requirements that are publicly available and typically have static, legacy security requirements baked in, which gives attackers a good sense for an organization’s defenses. By understanding an organization’s compliance regulations, a threat actor can better target and understand the barrier of entry in most organizations.
