Many companies struggle to balance compliance with security, especially in the face of limited budgets. Depending on the industry, non-compliance can result in substantial fines and even criminal charges, not to mention the impact on the business. But being compliant doesn’t necessarily equate to being secure. Ultimately, most recognize that at the end of the day, compliance wins out. But it’s not an easy road to get there.
In cybersecurity, legal and regulatory considerations are fluid, growing and inconsistent. The result is a regulation gap that can’t keep pace with what’s happening on the ground. There are a number of factors contributing to the gap.
Often, the regulations themselves are to blame. Many are developed based on existing knowledge, making them outdated by the time they are implemented. Adding to the complexity is the fact that regulators are challenged with creating requirements that must be applied across a wide community. There’s also a vast number of regulations, many with specific directives and overlapping expectations. In some cases, there’s just enough variation in terminology to create confusion, especially given the nuanced language used in cybersecurity.
There are also environmental dynamics. For example, demands are placed on companies to implement a Security Operations Center (SOC), which is a team of security professionals tasked with detecting cybersecurity events in real time. In today’s world, it can be challenging to evaluate a wide range of approaches and determine which one will satisfy the regulators.
Build Partnerships to Close the Gap
Too often, security, risk management, and compliance are thought of as interchangeable. In reality, each of these areas has specific requirements and needs specialized teams to be successful. While security binds them together, risk management and compliance play important roles. All three teams need to understand the challenges of each area and be willing to collaborate and compromise to achieve the least risk.
Building a successful partnership requires self-awareness. Cybersecurity professionals need to recognize that cybersecurity is not always the greatest risk to a company. Conversely, compliance professionals need to understand that standards and regulations are not always cleanly applicable to all environments. Sometimes, the technical and operational limitations are out of the cybersecurity team’s control.
Understand the Security Culture
Another way to close the gap is to identify the organization’s security culture. Companies may blend the following three buckets, but upon close examination one of them will stand out as the driving force:
- Vulnerability Sensitive: These organizations base their security program on managing vulnerabilities. This is one of the more common cultures because hackers exploit vulnerabilities, but these can be discovered and corrected. While it’s not always a simple fix, the number of hacks and patches can easily be measured. These are often important metrics for senior leadership and board members.
- Risk Averse: This culture places an emphasis on risk management. The questions are less about vulnerabilities and more about fiscal exposure. The challenge is agreeing on how much risk is acceptable and how to measure it. For example, probability is difficult to pin down, so the numbers presented can be questionable. Cybersecurity professionals often struggle with what they perceive as a risk versus what the board prioritizes.
- Compliance Driven: This approach to security is to do exactly what is required by regulators. Organizations with this culture want to know what others in their industry are doing to meet requirements and how much they’re spending. This is not necessarily a bad business practice but may not improve the company’s security posture.
Four Steps to Achieve Compliance and Security
- The connective tissue to ensure both compliance and security is intent: both the intent of the regulators and standards writers and the intent of the security controls and how they’re governed. It seems obvious, but the first step is for the compliance and risk teams to fully understand the regulations and related standards. Too often these are referred to without ever being read. Executive leadership needs to prioritize training and education investments to include support for this area.
- Next is determining the extent of compliance, or the scope. This method helps isolate compliance obligations and minimize regulation exposure, which are especially important in non-compliance driven cultures. Often, this comes into play when a regulation is poorly structured, requiring the organization to minimize the scope because their business could not realistically function otherwise.
- Establish a relationship with the auditor and understand their practices, approach, and overall attitude towards the regulation. While large portions of a regulation or underlying standard may be clear, the decision about the effectiveness of the control is in the hands of the auditor. All parties also need to come to agreement on the remediation steps recommended by the auditor so they can be applied correctly.
- While compliance is the first priority, it should be done through the lens of cyber equity. All compliant controls should be fully integrated into a governance program. If they’re not, they’ll deteriorate and become useless for compliance. The control should also be approached within the larger cybersecurity framework, and there should be a plan to leverage it downstream.
A recent Gartner study found that “Cybersecurity leaders today are burnt out, overworked and practice an ‘always-on’ mode. This is a direct reflection of how elastic the role has been over the past decade due to the growing misalignment of expectations from stakeholders within their organizations.” By building a strong cross-functional team with representatives from risk, compliance, security, and related IT functions, the organization will be in a better position to secure its environment to manage risk and then meet compliance standards.