#NextGenResearch: How Familiar Are You With Compliance Frameworks?

At the start of this year, Infosecurity conducted its second State of Cybersecurity Report. This determined 31 distinct trends in cybersecurity that respondents believed were driving the industry.

Following on from the publication of this report, Infosecurity launched a second piece of research, engaging with students, people on work placements and those starting out their careers in cybersecurity to find out how these trends affected them.

Compliance was top rated in our 2018 research, and came in as the third biggest trend in this year’s survey, so after last week, when we asked our respondents if they were seeing more demand for governance, risk and compliance in job ads, this week we ask how familiar they are with the demands of the various frameworks and regulations.

Specifically, we mentioned GDPR, PCI DSS and PSD2, and asked respondents if they knew what they were, and how they were different. We received 54 responses, of which 35 were positive, and 19 were negative.

From the positive responses, one respondent acknowledged that the “differentiation and demands of the different compliance frameworks seem to be fairly widely known,” and there is plenty of guidance material available to get up to speed with the basics. In fact, the overall consensus was that this is something that can be picked up with some personal training, and most cited GDPR probably as a result of the extensive media coverage and approval emails received in the lead up to the May 25 2018 compliance deadline.

There did seem to be a lack of knowledge around PSD2, while PCI DSS affected those who had to work with it. One respondent cited familiarity with GDPR as their CTF platform “stores some PII,” while another said that client queries “for more information about all different compliance related demands” led them to learn more about the different frameworks.

Another respondent said that they were studying a security management degree at university, which they described as a “new degree and not your typical security course, but instead focuses on high level security - especially surrounding standards, legislation and compliance.”

They explained that knowledge of compliance frameworks is invaluable for a security professional, and “can help shape the assessment of risks in a company and provide an outlet for the proposition of security solutions.”

On the negative side, there was a mix of responses, from those saying that there is a lack of education around these topics at university “whilst often at conferences it is spoken about a lot” and others said that they had to research to even answer our initial question. One respondent did say that having looked into the frameworks: “It’s a must have in order to keep infrastructures safe and to not have data compromised.”

There was a general positivity of GDPR among the positive responses, and the PSD2 framework seemed to be new to many of the people we spoke to. One respondent said that whilst on a placement as an IT intern, they had “low level” visibility to these frameworks “as I would have directly came across peoples' data.”

One more respondent said that the frameworks “are quite detailed and there are often not enough hours in the day to fully understand all of them.”

Maybe this is the issue: we’re talking about changing demands of knowledge, and if people do not see it as part of their general role and responsibility, are they going to take the actions needed to do some extra learning? The telling comment here was that it is talked about at conferences but not in further education, and maybe that needs to be better balanced.

What’s Hot on Infosecurity Magazine?