Generally, there are three different approaches to implementing cybersecurity. Each approach is described briefly below.
Compliance-based: Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
Risk-based: Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
Ad hoc: An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
In reality, most organizations with mature security programs use a combination of risk-based and compliance-based approaches. In fact, most standards or regulations such as the Payment Card Industry Data Security Standard (PCIDSS) or the US Health Insurance Portability and Accountability Act (HIPAA) require risk assessments to drive the particular implementation of the required controls.