Tony Anscombe, chief security evangelist at ESET.
Cyber risk management is a central focus in cyber security strategies and these strategies must prioritise compliance frameworks, says Tony Anscombe, chief security evangelist at ESET.
Anscombe is scheduled to speak at the ITWeb Security Summit Johannesburg 2025, at the Sandton Convention Centre, on 3 and 4 June. He will discuss the growing significance of compliance frameworks in today’s cyber security landscape.
According to Anscombe, there are two primary types of cyber security frameworks: compliance frameworks and those designed to improve overall cyber security posture. He emphasises that compliance frameworks are regulatory requirements, especially in sectors like finance and healthcare.
During his presentation, Anscombe will clarify what compliance frameworks are, why they are crucial and the factors companies should consider when selecting a framework.
“Regulatory compliance frameworks are designed to ensure organisations protect data using a structured approach, thereby reducing risk for both the organisation and the data subject. Non-compliance can result in significant penalties, and the financial risk of these penalties often drives efforts and secures the necessary budget to meet compliance requirements,” says Anscombe.
ESET notes that frameworks within certain industry sectors can be quite specific. For example, PCI DSS is a standard that mandates secure processing of payment card data to protect cardholders and reduce fraud. However, many of the requirements within specific regulations overlap with common cyber security frameworks such as the NIST (National Institute of Standards and Technology) framework.
“This overlap is also evident in privacy legislation. For instance, the California Consumer Privacy Act (CCPA) requires businesses to implement ‘reasonable security’. Any business needing to comply with CCPA is likely to follow a framework like NIST to demonstrate they have adopted the best practices for achieving reasonable security,” Anscombe explains.
Harmonising regulatory frameworks adds value, says Anscombe: “For example, when one regulatory framework is based on geographic location and another is based on the residence of an individual, it becomes complex for companies and data subjects to determine which framework applies, or whether both do. However, the accountability element means that harmonisation would likely apply only to the requirements, not the regulatory frameworks themselves, which include penalties. Any harmonisation might delay progress, as too many organisations attempting to agree on a new standard could slow the evolution of frameworks, benefiting only those seeking to exploit weaknesses.”
Anscombe also cautions against an overemphasis on following every element of a framework. Businesses need to determine their approach to acceptable risk and adapt the framework’s requirements accordingly.
Essential principles within a framework should be adopted, and where adaptations are made or certain elements are not followed, companies should document the reasons for those decisions, he adds.
