How do you weigh compliance in your information security program? Does it take the most important place, the front seat to all other initiatives? Or is it an afterthought that is no longer practical in today’s cybersecurity landscape? So many companies that were certified as ‘compliant’ were still breached and have had data stolen.
In this article, I attempt to share my perspective on how to include compliance into your cybersecurity program without it being the golden ticket for security.
cat vs cybersecurity
Know the compliance rules
First, you need to have someone (internal or external consultant) review the compliance laws and determine if your company is in scope for the regulations. This might sound silly because maybe you already know, but I’ve worked with several businesses that were collecting data that puts them clearly in scope for compliance regulations, and they were totally unaware of it. Because these laws and regulations are changing frequently, it’s good a good practice to check on an annual basis.
Whether its’ someone internal, or external, I do recommend it’s someone outside the security organization. Unless you have someone on your security staff that has been trained in legal matters, it’s best to have someone else review them. These regulations do not spell out exactly what security controls you need in place. They often state vague security controls that you, and your legal team, will have to work together to interpret what it means specific to your business.
Build the ‘most right’ security program
Notice I didn’t say ‘best’. You as a data risk owner, CISO, or InfoSec Officer, you need to build a security program that best balances the implementation of protection controls for the appropriate risks so that it’s appropriate for the risk appetite for the company.
risk appetite: “the level of risk that an organization is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings.” (Wikipedia)
The security program should be built to reduce risk and protect the most important assets. If the most important asset in your company is a single remaining digital image of the bosses deceased dog, then implement the controls to protect it. There are no compliance rules, I can think of, that state you need to do that.
Overlay compliance requirements with the program
Once you’ve implemented a security program based on company risk, then go back and integrate the security regulations and review these controls for which ones you’re already complying with. Take the outstanding rules and perform a tabletop exercise with the right audience on how these controls can be met. These remaining controls will fit into two categories:
1. Silly
2. Important
The ‘silly’ controls should be implemented in the easiest, least costly way so that they meet the control objectives and will pass an audit. And they should be implemented as quickly as possible to avoid a security finding deficiency.
The ‘important’ controls are ones that you didn’t think of during the development of your security program, and now upon reviewing these standards developed by an outside professional you’ve been made aware of important changes you should implement.
For these controls, you should also start with the easiest, least costly solution so that you can meet compliance requirements as soon as possible. Then you should spend the time to design a roadmap on how you will mature these controls over time to meet compliance requirements and your business risk requirements.
“Compliance technology is important but don’t bet the business on it.” – 2017 Cost of Cyber Crime Study by Ponemon
In summary, compliance is an important part of today’s cybersecurity program. They continue to become more mature and applicable to today’s business risk. With that said cybersecurity programs should not be developed on these requirements. It should be designed and developed based on the unique and specific risks of your company.
When you built the right program for your business, take the time to have someone review the compliance regulations and review if there are any controls you responsible for but have not yet implemented. Then spend the time and investment to your cybersecurity program up to regulatory standards.
May you be secure and compliant, thanks for reading.
Recent Comments