As the adage goes, “compliance does not equal security” and frankly, vice-versa. However, what compliance does is define the minimum-security requirements for a specific regulation, standard, or policy or like Bill Boney in the book CISO Desk Reference Guide, Volume 1 puts it: “regulatory and compliance requirements do not in and of themselves keep your data secure, they are obligatory, with specifics depending on the industry, locale, and organizational structure. But truth be told, despite many’ for compliance activities and requirements, they can often be leveraged as a foundation for a good information security program.” I would add, especially if you are new to the organization, the security field, or don’t know exactly where to start your program.
Now that you should be familiar with some of the many laws, rules, and regulations that impact a cybersecurity program; and that we have discovered the many stakeholders that you would be working with to deliver compliance assurance, we need to bring all of it together to manage the Cybersecurity function of the company. How do we ensure that we build a program that provides enough security while assuring management and the board that the company will meet its compliance commitments? This section reveals some methods that security professionals and leaders can apply to deliver compliance.
Note. It is crucial that you carry out this activity in a collaborative manner by involving the impacted business units, IT, Legal, OIA, and Security teams through the process so everyone has a chance to contribute and build a holistic program.
Figure 2. Organizational Compliance Mapping
The challenge for organizations and security leaders is often that compliance creates an operational burden that if not managed correctly may result on friction between the security team and other business units. Thus, the importance of building relationships across the organization and understanding each unit priorities as well as the big picture strategic objectives of the company. In the book CISO Desk Reference Guide, Mr. Bonney also offer advice on different options¹:
In the steps laid out earlier, we established the need for overlapping requirements. The exercise aims to reduce complexity and build a common control library that is easy to implement and manage by control owners. In the CISO Desk Reference Guide, Gary Hayslip tells us that “The key point you should understand is that the more “complexity” you introduce into implementing policies, projects, or processes, the more security gaps you create in your organization,” he then adds that “Employees would develop workarounds, which they justify are needed to get work done. In the end, the business is paying for a complex solution that is not being followed and the compliance program has not substantially reduced the organization’s risk exposure.
To conclude, an effective security manager should understand that compliance, like risk management, is an ongoing process that requires a comprehensive approach and continuous monitoring and assessment; or as explained by Mr. Hayslip “don’t forget that compliance is a life cycle and it starts with you understanding what regulations apply and then using a framework to build your selected policies, security controls, and work process.” It’s crucial to regularly review and update your compliance plan to stay ahead of evolving threats.
Bonney also recommends considering “engaging a services firm for a needs assessment and to perform project management, evidence collection, and (if necessary) security controls testing.” This a core service that CA2 Security offers to their clients on either a one-time or ongoing basis. We have helped many organizations to become audit-ready but, most importantly, to mitigate their risk by implementing Continuous, Adaptable, and Actionable security programs that are built incrementally. Let us know how we can help.