Compliance requirements are intended to increase cybersecurity transparency and accountability. As cyber threats increase, so do the number of compliance frameworks and the specificity of the security controls, policies and activities they include.
For CISOs and their teams, this means compliance is a time-consuming, high-risk process that requires strong organizational and communication skills in addition to security expertise.
We turned to the CISO Brain Trust to learn how best to address data security and privacy compliance requirements. In this blog, they share strategies to reduce the difficulty of managing the compliance process, including risk management and stakeholder alignment.
Read on for tips on how to transform compliance from a “necessary evil” into a strategic tool that helps you assess cyber risk, gain budget and buy-in, and increase customer and shareholder trust.
Which CISOs care most about compliance?
How CISOs view cybersecurity compliance can vary greatly, depending on company size, geography, industry, data sensitivity and program maturity level. For example, if you are a publicly traded company in the United States, you will have no choice but to comply with multiple regulations, as well as maintain risk assessments and corrective action plans.
If you are a government agency or sell to one, you will need to meet specific public sector compliance requirements. Banks, healthcare organizations, infrastructure, e-commerce companies and other businesses must follow industry-specific compliance rules.
Security does not equal compliance.
Even if you don’t fall into one of these categories, there are many reasons why you will need to demonstrate best security practices, such as seeking SOC certification or requiring cybersecurity insurance. For all organizations, broad cybersecurity compliance frameworks such as NIST CSF and ISO provide templates to follow and structures for communicating findings.
That said, “security does not equal compliance” is an oft-heard mantra from CISOs. Of course, just because you’re compliant, that doesn’t mean you’re safe. Very mature cybersecurity organizations may view compliance as the bare minimum and go well beyond the components required to protect their organizations.
Compliance as an enabling factor for business
While a CISO can recommend cybersecurity investments and practices to meet compliance requirements, he or she is not the final decision maker. Therefore, a key responsibility of a CISO is to communicate the risk of non-compliance and work with other business leaders to decide which initiatives to prioritize. Risk, in this context, incorporates not only technical risk, but also business risk.
Steve Zalewski, former CISO of Levi Strauss, likes to use the “carrot and stick” metaphor. “Historically audit and compliance have been the stick that forces you to do something,” he shares on the Defense-in-Depth podcast, “but do [you] doing so does not mean the business is aligned with the value of doing so.“ To avoid friction, he recommends showing people the business value of compliant cybersecurity.”There has to be a carrot component to make them feel like they have a choice in the matter,” he says.
Leadership must weigh the costs and benefits of ensuring compliance against the potential costs of noncompliance
Suppose an organization does not fully meet security best practices for privilege management. While noncompliance could result in regulatory fines and shareholder lawsuits, underlying security gaps could cause even greater business impacts, including downtime, ransomware payouts, and lost revenue. Meeting compliance requirements, on the other hand, could deliver business value, such as faster sales, stronger partnerships, or lower cyber insurance rates.
As part of a comprehensive risk management program, boards of directors and executive leadership must weigh the costs and benefits of ensuring compliance against the potential costs of noncompliance. In some cases, they may decide that a certain level of risk is acceptable and choose not to implement additional safeguards. In other cases, they could double.
How CISOs use compliance frameworks to plan their cybersecurity roadmap
Some CISOs use compliance frameworks as a methodology for techniques and processes to incorporate into their cybersecurity program. Essentially, they inform program priorities and create a shopping list of must-have solutions that align with the program they are trying to build.
In the Audience First podcast, former Fortune 500 CISO Brian Haugli sees a difference between being dependent on compliance and using compliance frameworks to drive informed risk management.
“We can’t be black and white. We need to be able to make risk-based decisions, to say, “I’m going to accept this risk because I can’t afford to close it right now.” But I will do these things to mitigate the risk to a low enough level that I can accept them.“
CISOs need compliant partners
CISOs aren’t alone in the compliance boat. They need to partner with legal teams, privacy officers, and audit or risk committees to understand changing compliance requirements and decide how to address them.
These internal partners sometimes require security teams to implement stronger controls, but they may also take breaks. As the CISO of a fast-growing technology provider told us, “Frankly, the legal department beats me to it every day of the week. They tell me what I can and cannot do. I’d like to be able to monitor everyone’s behavior, but privacy laws say I can’t do that.“
Compliance teams do many things that security engineers and analysts don’t have the time or resources to do. They hold security accountable by double-checking that controls are working as intended. They act as intermediaries between security teams, regulators, and auditors to demonstrate compliance, whether that means gathering evidence through manual security questionnaires or through technology integrations.
For example, for a public sector certification, security controls must be monitored, recorded and retained for at least six months to demonstrate that they did what they said they would do.
Tools and resources that support compliance
Risk registers are useful for aligning all stakeholders by documenting all risks and organizing them by priority. If everyone is looking at the same information, you can agree on appropriate actions. As part of a risk management program, policies, standards and procedures are regularly reviewed and any changes approved prior to implementation.
Using tools like GRC systems and continuous compliance monitoring, organizations can track ongoing security activities and report findings. GRC systems can connect to SIEMs to collect logs and vulnerability scanners that show checks have been completed. “Instead of shuffling spreadsheets, we have created various connectors that integrate with our GRC platform to demonstrate that we are compliant,” explains the CISO technician. “They map certifications into a single dashboard, so when a reviewer comes in, we show them a screen that says, “Here’s the evidence.”‘”
In addition to tools, many companies rely on third parties to conduct compliance assessments. They can perform an internal compliance audit before an external one to ensure there are no surprises in case regulators intervene.
Comply once, apply to many
Most organizations have numerous compliance bodies they must answer to, as well as cyber insurance providers, customers and partners. While compliance can be a burden, the good news is that there are techniques to simplify the assessment process. “If you look at all the major compliance bodies, around 80% of the requirements are the same,” says the CISO of a SaaS vendor. “You can align with a framework like NIST and apply the same practices to everyone.“
For example, Privileged Access Management (PAM) requirements such as password management, multi-factor authentication (MFA), and role-based access controls are common across compliance frameworks. You can dive deeper into the specifics to see what PAM looks like in a variety of compliance requirements on Delinea.com.
Emerging compliance requirements
Compliance is a fluid space with requirements that evolve to address changing risk models and business conditions. CISOs look to compliance bodies for guidance on managing emerging cyber risks, such as artificial intelligence.
Looking to the future, CISOs expect that ensuring compliance will become an even more important part of their job. As the industry faces ever-increasing threats, compliance is a key part of a strategic, comprehensive approach to managing cybersecurity risk.
For more on this topic, check out Delinea’s 401 Access Denied podcast episode: Securing Compliance: Expert Insights with Steven Ursillo
Do you need a step-by-step guide to plan your strategic path to privileged access security?
Get started with a free, customizable PAM checklist.