Companies that invest in IT security as a way of complying with industry and government regulations are running a risky strategy, says SecureWorks.
"A security-based approach to compliance is better than a compliance-based approach to security," said Jon Ramsey, chief technology officer at SecureWorks.
Regulation usually follows the changing threats and, therefore, any company basing its security investment on that will be behind the curve, he told Computer Weekly.
By focussing on ticking boxes for compliance audits rather than on securing data, businesses tend to open themselves up to attack, said Don Smith, vice-president, engineering and technology at SecureWorks.
For example, many regulations mandate antivirus software, but, in reality, antivirus is effective in detecting only between 30% and 40% of malware.
Also, he said, if a technology is mandated, most organisations will have it, so cybercriminals will craft their attacks to get around these common defences.
"Instead of being led by compliance, businesses should be focussing on identifying and mitigating the specific threats facing their organisation," he said.
The challenge, said Ramsey, is that few companies have the in-house skills required to identify, analyse and respond to the rapidly changing and highly sophisticated methods attacker are using.
Proactive companies that do not have the required skills in-house are engaging with third-party experts rather than waiting until after an attack to call in the help they need to optimise their defence strategy, he said.
A good place to start, said Ramsey, would be to identify an organisation's key information assets and then look at the various ways criminals could target those assets to determine the best way of protecting them.
"Organisations that do not know what they need to protect and do not understand how those assets could be compromised, cannot make the right choices to get the best protection against generic and targeted attacks," he said.