Login to profile

Ensuring quality in DORA compliance

In cyber security, the interplay between compliance and quality is crucial

31 July 2024. Originally published on CS Hub.
By Rodrigo Marcos Alvarez, Chair of CREST’s Europe Council and CEO of SECFORCE Ltd.

Cyber security is seeing an increasing number of compliance initiatives, aiming to enhance the resilience of organizations to cyber attacks and the safeguarding of information assets. Notably, the adoption of the Digital Operational Resilience Act (DORA) will promote collaboration among institutions in the European Union (EU) to take advantage of a strength in numbers approach, co-operating against cyber criminals.

The interplay between compliance and quality is crucial in cyber security. So, as regulatory frameworks like DORA begin to shape cyber security practices, it is imperative that organizations are integrating quality assurance measures to mitigate risk effectively.

The Ford Pinto debacle: Compliance gone wrong

The Ford Pinto episode highlights the consequences of prioritizing compliance over quality. In the 1970s, the Ford Motor Company faced intense competition in the subcompact car market. To meet regulatory standards and compete effectively, Ford sped up the production of the Pinto. In rushing production to meet regulatory standards, Ford overlooked critical safety concerns, leading to fatal flaws in the Pinto’s design. In the pursuit of compliance, Ford made critical design decisions that led to positioning the fuel tank at the rear of the vehicle. This placement made it vulnerable to rupture in rear-end collisions, leading to catastrophic consequences. Compliance, at the expense of consumer safety, tarnished Ford’s reputation and resulted in significant financial and legal repercussions.

Ford’s decision-making mirrors situations in cyber security where deadlines for compliance are quickly approaching in a marketplace with a scarcity of credible providers. Where organizations are focused solely on meeting regulations like DORA, they could neglect fundamental principals in the selection and procurement of competent cyber security providers and individuals, potentially leading to a false sense of security and ultimately successful cyber attacks. Compliance, while of course essential, should not overshadow the overarching goal of protecting sensitive information assets and ensuring robust cyber security practices.

READ: The role of cyber security in compliance

What is DORA?

The financial services industry, like many others, is going through a period of significant digital transformation. The EU introduced DORA in response to the growing reliance on digital infrastructure and the increasing threat of cyber attacks. It is a comprehensive regulatory framework that aims to bolster the operational resilience of financial entities operating in the digital landscape.

DORA comprises five key pillars, each addressing a critical aspect of digital operational resilience.

1. ICT risk management: DORA mandates that financial entities establish and maintain resilient ICT systems and tools. This involves continuous risk identification, protection measures, prompt anomaly detection and robust business continuity policies.

2. ICT-related incident management: Incident management is a cornerstone of DORA. Financial entities must develop structured processes for detecting, handling and reporting incidents. This includes identifying root causes and reporting to relevant authorities within specific timeframes.

3. Digital operational resilience testing: DORA mandates organizations undergo resilience testing, which includes penetration testing and threat-intelligence led assessments. The objective is to evaluate the effectiveness of security controls against cyber threats.

4. Third-party risk management: Financial entities must treat third-party risks as their own. This entails maintaining a comprehensive risk register of third-party providers, conducting risk assessments for new and existing agreements and reporting to competent authorities.

5. Information sharing arrangements: Collaboration and information sharing are at the core of DORA. Establishing trusted communities for sharing threat data, insights and best practices is essential.

READ: Securing data and systems with proactive penetration testing

How to ensure a quality service provider

In the pursuit of assurance of quality cyber security services, organizations can turn to industry-standard individual certifications and company accreditation, such as those delivered by CREST. Standards like these can play a pivotal role in ensuring cyber security services and professionals adhere to rigorous quality standards. Following the analogy of the Ford Pinto, professional bodies like CREST ensure quality standards are always met by accredited providers, and therefore provide a high level of assurance in a crowded marketplace. 

Certification and accreditation ensure professionals and organizations meet required and stringent requirements. For example, when it comes to penetration testing, they enable organizations to check they are working with competent and ethical testers. Promotion and assurance of good practice and continuous improvement in penetration testing, along with other cyber disciplines, helps ensure testing is conducted thoroughly and effectively, raising the overall quality of services provided by cyber security providers.

All of these standards need to be set by an independent body so it can provide oversight and validation of the capabilities and expertise of cyber security providers. It is this independent validation that adds measurable credibility to the services offered by certified providers, enhancing client confidence in their ability to deliver effective cyber security services.

Overall, professional bodies play a vital role in raising assurance levels for organizations when commissioning cyber security providers. Buyers can then trust that working with certified providers will result in thorough, effective and professional cyber security services.

The Ford Pinto saga underscores the pitfalls of prioritizing compliance over quality – a lesson that is particularly applicable to cyber security. As organizations are increasingly navigating regulatory landscapes like DORA, they must ensure they are also including robust quality assurance measures when choosing vendors. Organizations like CREST can help by providing an impartial benchmark to ensure robust cyber security practices and quality assuring cyber services providers globally. In today’s ever-evolving threat landscape, it is only by striking the right balance between compliance and quality that organizations can truly fortify their defenses and mitigate cyber risks effectively.