Aligning Cybersecurity, Compliance, and Business Operations as Regulations Change

In today’s regulatory environment, aligning cybersecurity, compliance and business operations is no longer a choice but a necessity.

In today’s regulatory environment, aligning cybersecurity, compliance and business operations is no longer a choice but a necessity. Businesses are faced with a growing set of regulations such as GDPR, CCPA, NIS2, and newer mandates from regions like the EU and the United States, all of which affect how they manage data and protect their digital assets. Cybersecurity teams must work together with legal, compliance, and operations teams across the entire business to build a sustainable, scalable and compliant framework that helps the business grow while mitigating risk.

The introduction of new regulatory rules across the world adds more work for cybersecurity practitioners like the recent NIS2 from Europe. The European Union’s NIS2 (Network and Information Security Directive) aims to enhance cybersecurity across the EU by setting stricter security requirements for critical infrastructure sectors like energy, finance, healthcare, and digital services.

Moreover, Australia’s latest cybersecurity regulations, driven by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, significantly expand the scope of protections for critical infrastructure. The new laws impose mandatory cybersecurity risk management programs and reporting requirements for sectors such as energy, healthcare, financial services, and communications.

They introduce stringent obligations on organizations to bolster their security posture, including proactive measures to prevent cyberattacks and mandatory reporting of significant cyber incidents within 12 hours for critical infrastructure entities.

These regulations emphasize the need for enhanced resilience, accountability, and collaboration with the government to safeguard national interests from rising cyber threats.

Key Items that each practitioners should be focusing on are:

1. Build Buy-in for Your Security Program

2. Align Priorities with Legal and Compliance

3. Build Alliances to Ensure Product Development Supports Regulations

4. Ensure Your BC/DR Supports and Accounts for Regulatory Requirements

 1. Build Buy-in for Your Security Program

One of the biggest challenges in many organizations is getting leadership and cross-functional teams to fully buy into the cybersecurity program. Security is often seen as a cost center, which makes it difficult to drive a security first culture. However, the increase in regulations, particularly around privacy and data handling, provides an opportunity for cybersecurity leaders to align their priorities with the business.

Take the example of LoanDepot, a major U.S.-based mortgage lender that suffered a significant breach. Post-breach, it was revealed that inadequate investment in cybersecurity was partly responsible for the attack. LoanDepot's breach not only compromised customer data but also led to lawsuits and regulatory scrutiny. Organizations can learn from this incident by using regulatory requirements as a driver to build leadership buy-in. By showcasing how a strong security program protects the business from operational disruptions, legal liabilities, and regulatory fines, you make cybersecurity an indispensable part of business strategy.

James’s Actionable Tip: Work closely with the executive team to develop a clear understanding of how cybersecurity aligns with their goals and offer data-driven insights to show how your security program directly impacts compliance and regulatory readiness.

 2. Align Priorities with Legal and Compliance

Cybersecurity isn’t just a technical issue—it has significant legal implications as well. Increasingly stringent data privacy laws mean that legal and compliance teams are at the forefront of ensuring the business adheres to both national and international regulations. Aligning cybersecurity initiatives with legal and compliance teams will ensure that the company is prepared for audits, certification processes, and regulatory reporting.

Take Microsoft's response to the Schrems II ruling, which invalidated the EU-U.S. Privacy Shield, a key legal framework that allowed for transatlantic data transfers. Microsoft had to swiftly adjust its data storage and processing policies to comply with GDPR regulations. Their approach was proactive, and they worked closely with legal teams to ensure they met the requirements. This collaboration ensured that compliance was baked into every aspect of their business operations, from data centers to product development.

In some organization cybersecurity roll into security, where CISO’s report to legal there is a distinct advantage to getting executive buy in as the GC typically has a lot of abilities to influence decision making effectively.  

James’s Actionable Tip: Regularly meet with legal and compliance teams to review upcoming regulations and create cross-functional task forces to handle compliance-related cybersecurity tasks. This ensures cybersecurity risks are mitigated within legal constraints.

 3. Build Alliances to Ensure Product Development Supports Regulations

Product development teams are often focused on innovation, speed, and customer demands. However, with the growing number of data privacy and security regulations, it’s critical that security and compliance are considered from the start. Building strong alliances between cybersecurity and product development can ensure that new features and products are compliant with regulations such as GDPR, HIPAA, or industry-specific guidelines.

For example, after the EU’s General Data Protection Regulation (GDPR) went into effect, many tech companies had to redesign their products with “privacy by design” principles. Companies like Facebook and Google had to rework key components of their data-handling practices to avoid hefty fines. Facebook, in particular, faced multiple fines due to compliance gaps that could have been avoided if security and compliance were integrated into the product development process earlier and required some legal oversight.

James’s Actionable Tip: Set up dedicated security champions within product teams who are responsible for understanding regulatory implications and ensuring compliance is built into product design from the start.

 4. Ensure Your BC/DR Support and Account for Regulatory Requirements

Business continuity and disaster recovery (BC/DR) plans are critical in today’s regulatory landscape. Regulatory frameworks now demand that businesses not only secure their environments but also have clear strategies for recovery in the event of a cyberattack or other disruptive events. With cyberattacks like ransomware becoming more sophisticated and common, regulators expect businesses to have robust disaster recovery measures that can ensure the integrity and availability of data, even during an incident.

Consider the case of Colonial Pipeline. In 2021, Colonial Pipeline was hit by a ransomware attack that caused a major disruption to the U.S. fuel supply. The company had to halt operations, and it was clear that their disaster recovery plan wasn’t prepared for such an attack. Beyond the immediate operational impact, Colonial Pipeline also had to answer to regulatory bodies and lawmakers about their lack of preparedness.

BC/DR strategies that meet regulatory requirements aren’t just good for compliance—they’re crucial for business survival. A well-aligned BC/DR strategy can minimize downtime, reduce regulatory penalties, and demonstrate to stakeholders that the business takes cybersecurity and operational resilience seriously.

James’s Actionable Tip: Regularly update your BC/DR plans to reflect current regulatory requirements, including recovery time objectives (RTOs) and recovery point objectives (RPOs) mandated by the latest standards. Quarterly tabletop exercises are important.

 Conclusion

As regulations evolve, so must the strategies organizations use to align cybersecurity with compliance and business operations. Building buy-in for your cybersecurity program, ensuring priorities are aligned with legal and compliance teams, fostering collaboration with product development and the business teams and ensuring your BC/DR plans meet regulatory standards will position your company to not only survive but thrive in the complex regulatory landscape.