Bolster Your Regulatory Compliance with Layered Security Measures

Industry experts recommend mapping an enterprise’s compliance efforts to a set of trusted security guidelines from organizations like the National Institute for Standards in Technology (NIST framework) or the International Organization for Standardization (ISO standards). This provides a practical way to:

• Adopt best practices from well-regarded agencies and gain trust
• Align compliance efforts to a variety of regulations and gain efficiency 

However, as attack surfaces — and the regulations — evolve, we should ask: Why not also map your organization’s data compliance efforts to a longstanding cybersecurity principle? Some might call this defense-in-depth, but we think of it as layered security. Either way, this principle of a layered security approach is well understood.

Instead of relying heavily on one type of security tool or control, you can create multiple security layers that combine into a series of interconnected obstacles, traps, and attacker-unfriendly surprises — all designed to thwart threat actors by limiting their options, access, and visibility. Through a layered approach, security controls intended for specific risks can complement one another’s strengths. If one security control fails, another stands behind it, ready to act. If another one picks up an attack signal, its counterpart  can act on the insights and block a threat actor’s movement. If one tool protects human access, the other secures non-human access and, well, you get the idea.

Organizations can apply this approach to compliance. Regulators want proof that you're doing everything you can to prevent attackers from harming data and infrastructure. This includes attacks that publish the personal information of millions of consumers’ or disrupt operations for critical infrastructure fields, such as water treatment plants. 

The stakes are high: regulatory noncompliance boosted the average cost of a data breach from US$4.88 million to nearly US$5.12 million in 2024.

From demonstrating more comprehensive plans to shoring up your reporting capabilities, let’s explore some common gaps and how to address them.

Many organizations have made gains in securing their IT users’ credentials that, in the wrong hands, could give attackers control over networks and access to sensitive data. From Payment Card Industry Data Security Standard (PCI-DSS v4.0) to General Data Protection Regulation (GDPR), regulators expect strong privileged access capabilities. 

However, it also helps to have controls for isolating and securing the data into segments, where each type of data is protected with authorization controls tailored to its unique attributes; this includes data sensitivity and region-specific regulatory requirements. 

When the network is divided into smaller, isolated segments — each with its own information security policies — security teams acquire more precise control over data access and lateral movement. 

With the right microsegmentation tools in place, this granular approach:

• Reduces the attack surface
• Limits the potential damage in the event of a breach or ransomware attack 
• Gives security teams the ability to demonstrate how they’re protecting data, systems, and operations — both in their overall plans and in recurring audits

How else can security teams apply layered security thinking to regulatory compliance? Let’s look at the always essential role of data protection.

According to the 2025 Verizon DBIR report, 60% of breaches stem from the “human element” (think employees falling for phishing schemes that lead to data theft). So, naturally, companies implement identity and access management controls to prevent costly fines and reputational damage. Many regulators and frameworks insist upon it. 

Your organization may be able to show regulators how you’re reducing reliance on passwords, and enforcing two-factor authentication methods for users. But what about the non-human element? 

In a single enterprise, potentially thousands of application programming interfaces (APIs) work behind the scenes to rapidly exchange data. Attackers know that APIs are often misconfigured, lack authentication controls, and are easy to manipulate into returning sensitive information. 

Indeed, 84% of organizations experienced an API security incident in the past 12 months — with IT and security leaders citing an average cost of US$943,162.

By applying a layered security approach to compliance requirements, a security team can complement its workforce access controls with tools for monitoring and securing their API estate. This includes API security posture management capabilities for:

• Analyzing an API’s behavior for anomalies against a benchmark of standard activity

• Identifying malicious activity in real time, and alerting other tools in the mix to apply controls like blocking unauthorized access

• Providing a continuous view of potential API security incidents mapped to the compliance frameworks that you follow

Look for future blog posts in this series, in which we’ll explore ways that enterprise security teams can address compliance gaps and challenges. We believe that complying with data protection laws calls for a strategic approach that’s not so different from the way organizations implement layered strategies to protect every area of the attack surface. 

We’ll cover best practices that are directly linked to what today’s regulators are demanding, including gaining comprehensive visibility across the IT estate.