By Candy Alexander, CISSP, CISM, NeuEon Cyber Risk Leadership Practice Lead & CISO
New to our “Top 5 Security Truths Every CIO Should Know” blog series? Be sure to start here:
In the final installation of our three-part series, we’ll round out the top 5. We’ll come full-circle, tying it back to our first point that security is a business issue based on an organization’s risk appetite.
Compliance. The word alone can make your body fill with dread and your mind with questions. How will I know if my organization is compliant? Which set of compliance regulations do I need to comply with? Where do/how do I even start? On top of it, how are CIOs supposed to manage all of the competing priorities? Let’s get straight to the answers.
4. Understanding What Regulatory Requirements Apply and How to Implement Them
Does compliance actually help my organization be more secure?
PCI/DSS, GDPR, CCPA, HIPAA, DFARS—there are a plethora of regulatory and legislative compliance requirements that organizations must adhere to. Ironically, you work diligently to meet the compliance requirements, but that does not mean you are secure. There are numerous examples of this phenomenon where organizations were compliant, but still breached. Equifax, Home Depot, Anthem, and TJX are among the now famous organizations for our lessons learned.
Where we go wrong is getting stuck in the compliance game. Many businesses understand that they need to comply, but stop short of a holistic security program. For example, PCI/DSS may require a business to place security controls to accept/process credit cards, but simply complying with that doesn’t address the entire organization, the environment, and the data. It provides a dangerous sense of false security when organizations believe that if they align their security program to compliance requirements, it addresses the security.
To gain a holistic point of view, security should be considered as reducing risk to the organization, environment, data. Only with that perspective can you align your security safeguards to all compliance requirements, rather than PCI/DSS this year and CCPA/GDPR the next.
The key to achieving both compliance and reduced risk is through a security program, using a security framework like NIST Cyber Security Framework (CSF), ISO 27000 series, or even the “Top 20 CIS Critical Security Controls” to help meet 80%-90% of the requirements.
Sometimes it can be easier to eliminate the requirement of compliance altogether. For example, maybe you have identified housed data that is “in scope” for a regulation, but that data is only “nice to have.” Even if you remove the vector and move out of scope, you still need a security program because the environment remains vulnerable to attackers.
To recap, follow these guidelines:
- Don’t chase after the compliance checklists as your security program. There are too many of them and you have only one program. Otherwise, you build multiple programs, one for each compliance requirement.
- Do use a good framework to help you build a security program, which will meet 80%-90% of compliance in the process. Consider starting small with the Top 20 CSCs and grow the program to NIST or ISO standards, mapping back to the compliance requirements.
- Don’t keep data around that you aren’t using. By removing any “in scope” vectors, you might be able to eliminate the requirement of compliance.
- Do focus on a risk-based security program, keeping in mind that not being in compliance is a risk to the business.
5. Knowing How to Balance and Grade the Priorities
Which priority is more important?
Balance is the key to life, and happy CIOs. All of the challenges and the sense that everything is a top priority is enough to leave anyone feeling deflated. Sometimes all CIOs need is a little guidance on how to prioritize it all.
When prioritizing security, CIOs should stay rooted in the risk-based view and utilize the business justification to define scope and expectations. Using that, the security effort can be designed and formed into an implementation plan based on the following guideposts:
- Do have a plan which directly aligns and supports the business goals.
- Don’t skimp in your plan. Be sure to include security and technology from concept to rollout. It’s easier to bake security in, rather than bolt it on.
- Do focus on a risk-based approach that follows a risk management framework such as NIST RMF or a simple cycle that assesses, addresses, monitors, and adjusts.
- Don’t forget to plan the work, and work the plan. It can be easy to get distracted, but don’t lose sight of your implementation plan. Instead, monitor its status and adjust when necessary.
- Do use a sounding board when you are unsure or need a second opinion. There’s no shame in asking for help.
Beyond the Top 5: CIOs Aren’t Alone
Reading the five points in our blog series is a good start to overcoming the toughest challenges a CIO faces around security. While we have answered some of the most common questions, there are always more to answer and it’s OK not to “know it all.”
Need some extra help? NeuEon’s Cyber Risk Leadership Practice was built to help organizations navigate the strategic complexities of a comprehensive cybersecurity approach. Learn how we can help ease your mind and achieve security rightsized for your business’s risk appetite. Contact us today.
To get a full view of this entire blog series download the infographic here.