Managing Cybersecurity Compliance

As the adage goes, “compliance does not equal security” and frankly, vice-versa. However, what compliance does is define the minimum-security requirements for a specific regulation, standard, or policy or like Bill Boney in the book CISO Desk Reference Guide, Volume 1 puts it: “regulatory and compliance requirements do not in and of themselves keep your data secure, they are obligatory, with specifics depending on the industry, locale, and organizational structure. But truth be told, despite many’ for compliance activities and requirements, they can often be leveraged as a foundation for a good information security program.” I would add, especially if you are new to the organization, the security field, or don’t know exactly where to start your program.

Now that you should be familiar with some of the many laws, rules, and regulations that impact a cybersecurity program; and that we have discovered the many stakeholders that you would be working with to deliver compliance assurance, we need to bring all of it together to manage the Cybersecurity function of the company. How do we ensure that we build a program that provides enough security while assuring management and the board that the company will meet its compliance commitments? This section reveals some methods that security professionals and leaders can apply to deliver compliance.

1. First, interview the stakeholders to gain a solid understanding of the different regulatory and contractual obligations of the organization that you can leverage to build a solid cybersecurity program.
2. Conduct a Risk Assessment. Before developing a cybersecurity compliance plan, you need to understand the risks facing your organization. Conducting a risk assessment will help you identify potential vulnerabilities and threats to your systems and data. This assessment will help you prioritize your compliance efforts.
3. Overlay the different requirements over each other to identify common patterns and overlaps.
4. Consider different risk and control frameworks to identify whether any of those or a combination of them would meet your requirements. For example, if you work at National Insurance Carrier, which is a public company, you could compare NIST CSF or CIS v8 to regulations such as HIPAA, SOX, GLBA, and other regulations that the company must comply with.
5. Identify any additional contractual requirements in place, for example:
   • You are required by a client or vendor to follow NIST 800-53 or,
   • You require your client or vendor to be SOC 2 Type 2 complaint.
   • Any other requirements in contracts, NDAs, MSAs, etc.
6. Build a visual of the mapping that is easy to consume by management, auditors, and stakeholders. See Figure 2 for a simple example.
7. Evaluate current policies and standards in place at the company and figure out whether they are appropriate for the organization’s regulatory and contractual requirements.
8. Develop a Compliance Plan. Based on the risk assessment results, you should develop a compliance plan that addresses all relevant regulations and contractual requirements. This plan should include policies and procedures for several cybersecurity domains, including but not limited to data protection, incident response, access control, and employee training.
9. Develop a Security Controls and Evaluation Roadmap. Once you have a compliance plan, you must implement security controls to protect your systems and data, such as firewalls, intrusion detection systems, and encryption software.
10. Educate staff. Your employee security awareness training should touch on internal policies, procedures and controls to ensure that they understand their role in maintaining cybersecurity compliance.
11. Monitor and Audit Compliance. Once you have implemented security controls, monitoring compliance through regular audits is important to ensure that your organization follows the policies and procedures outlined in your compliance plan. Regular audits can help identify areas where you may fall short of compliance requirements.
12. Monitor regulatory changes. Cybersecurity regulations and requirements are constantly evolving, so staying up-to-date with changes is essential. This may involve attending conferences, joining industry groups, and monitoring regulatory updates. You should also regularly review your policies and procedures to ensure they comply with current requirements.
13. Rinse and Repeat!

Note. It is crucial that you carry out this activity in a collaborative manner by involving the impacted business units, IT, Legal, OIA, and Security teams through the process so everyone has a chance to contribute and build a holistic program.

Figure 2. Organizational Compliance Mapping

The challenge for organizations and security leaders is often that compliance creates an operational burden that if not managed correctly may result on friction between the security team and other business units. Thus, the importance of building relationships across the organization and understanding each unit priorities as well as the big picture strategic objectives of the company. In the book CISO Desk Reference Guide, Mr. Bonney also offer advice on different options¹:

• Outsource some of the compliance activities.
• Add headcount in either the security team or business units where control execution takes place to manage compliance.
• Purchase and implement a Governance, Risk, and Compliance (GRC) technology platform.

In the steps laid out earlier, we established the need for overlapping requirements. The exercise aims to reduce complexity and build a common control library that is easy to implement and manage by control owners. In the CISO Desk Reference Guide, Gary Hayslip tells us that “The key point you should understand is that the more “complexity” you introduce into implementing policies, projects, or processes, the more security gaps you create in your organization,” he then adds that “Employees would develop workarounds, which they justify are needed to get work done. In the end, the business is paying for a complex solution that is not being followed and the compliance program has not substantially reduced the organization’s risk exposure.

To conclude, an effective security manager should understand that compliance, like risk management, is an ongoing process that requires a comprehensive approach and continuous monitoring and assessment; or as explained by Mr. Hayslip “don’t forget that compliance is a life cycle and it starts with you understanding what regulations apply and then using a framework to build your selected policies, security controls, and work process.” It’s crucial to regularly review and update your compliance plan to stay ahead of evolving threats.

Bonney also recommends considering “engaging a services firm for a needs assessment and to perform project management, evidence collection, and (if necessary) security controls testing.” This a core service that CA2 Security offers to their clients on either a one-time or ongoing basis. We have helped many organizations to become audit-ready but, most importantly, to mitigate their risk by implementing Continuous, Adaptable, and Actionable security programs that are built incrementally. Let us know how we can help.