We understand the budget restraints and "rabbit hole" you can get yourself into regarding compliance and security. How much do I do before the cost outweighs the benefit?
Oftentimes while onsite with our clients we find ourselves discussing the balance between regulations or minimum standards compared to industry best practices or trends. They often do not align as some regulations allow a certain amount of "grey" area regarding your risk appetite and cybersecurity maturity. Even worse - some are simply outdated. More simply put: "compliant doesn't always mean secure". I have always used the example of what a "best practice" was two years ago is considered standard today.
Vala Secure CEO Brad Garland explains at a high level the strategy and benefits of proactive compliance.
We often see a lot of different types of environments. And there are people that are concerned about just being compliant. And there's others that have a more secure minded profile. Talk a little bit about this idea of there are profiles of our clients that are more proactive in nature or more reactive in nature. The ones that are reactive inherently are fighting fires. Any next vendor or customer that comes to them with a question they have to go off on that. And they end up spending a lot of their time in things that they hadn't planned to do. Whereas the proactives when they have a plan and they have a strategy in place to go through an exam, to go through the next major iteration of regulation it makes that process a whole lot easier for them. So we push people to the idea of looking to be more secure regardless of the compliance requirements that they have.