<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to support the new paradigm of information security as a business function.

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. From the rise of the information technology function within the enterprise, security has been a priority for not just the companies themselves but the governing bodies in the areas (industries and locations) in which they operate. For many entities, compliance is a critical function to ensure ongoing business operations and support new business growth. From the Department of Defense and the DFARS mandate to the New York Department of Financial Services and 22 NYCRR 500, organizations in myriad industries and locations are bound by baseline requirements to ensure that they are secure enough.

Are We Secure?

Heads of information security hear this often from superiors - the age-old question are we secure. As more CEOs and Boards take a greater interest in cybersecurity, though, the idea of a simple yes or no is no longer sufficient. In much the same way, a checkbox compliance approach to a cybersecurity program is no longer sufficient. Ensuring that an organization is secure is in part based on meeting compliance requirements yet in today's technology-driven business climate focusing on baseline compliance requirements is insufficient.

Why Compliance Standards Exist

To understand the role that compliance standards play in an integrated risk and compliance program, think of compliance standards as the physiological requirements in Maslow's hierarchy of needs: the foundational requirements like food, water, and shelter. The function of compliance standards set forth by governing bodies is to ensure that participants in that industry have implemented enough security practices to participate in the industry and keep the ecosystem secure. Compliance standards, on their best day, stand between society's most critical functions and bringing that society to a grinding halt. Often, we see standards in highly-regulated industries, places where the failure of these functions is not an option - energy and utilities, banking and finance, defense and aerospace.

These industries, in particular, have been deemed critical to the ongoing function of our society as a whole and therefore need to be at least secure enough.

Enough Is Not Enough

Here's the thing - enough is not enough in many cases. The standards that are requirements are designed for the lowest common denominator - they're designed to be accessible to companies of varying size, and sometimes different functions. The result is often that these standards are general and not enough to secure any one organization adequately. Compliance standards, while prescriptive and valuable from an industry-level, are not enough for one organization to tout security to their CEO and Board.

 

Fundamental Frameworks Transcend Compliance

 

We have covered before how the continued rise of compliance standards is overtaxing cybersecurity teams. This groundswell of regulation is only going to continue as it moves through to new industries and locations. Reacting to each new framework and standard as it emerges will leave organizations reeling. The strategy to integrate compliance activities for a cybersecurity program begins with a guiding, foundational framework. In most cases, I recommend the NIST Cybersecurity Framework as that north star. The reason is that frequently, the requirements that make up these standards are usually based in the CSF. When security leaders focus on the foundational principles - the CSF - rather than each compliance requirement, the result is significantly less menial effort spent meeting overlapping demands. The optimal way to futureproof your cyber program from new compliance requirements is to focus on the foundational framework that informs them.

Integrating Governance, Risk, and Compliance With the NIST CSF

For leaders looking to integrate their governance risk and compliance activities, there is another reason to use the NIST CSF as the guiding force for compliance: using the NIST portfolio of frameworks and publications integrates all activities of GRC under one banner. As my co-founder discussed in his webinar on harmonizing privacy, risk, and cybersecurity, we can see that the NIST CSF is designed to integrate with the NIST Risk Management Framework (and new Privacy Framework). Further, the NIST CSF's outcome-based approach supports the translation of tactical cybersecurity risk and compliance activities into business outcomes - a critical function for today's cybersecurity leader.

While the result is exponentially more valuable than the alternative, implementing the NIST CSF can be complicated. Using a tool that can streamline that process, as well as ingest and operationalize any other framework (regulatory or otherwise) is critical. Ensuring that your organization chooses the right solution to accomplish this task, and in turn, prepare for the future for your cybersecurity organization is predicated on using a lightweight and nimble tool that is capable of integrating your governance risk and compliance activities.

 

 

 

You may also like

Informing Cyber Risk Management ...
on May 18, 2023

Cybersecurity is no longer just an IT issue but a business risk that can impact an organization's reputation, financial health, and legal compliance. Cybersecurity risks are ...

Is Your Organization Prepared for ...
on May 3, 2023

Data storage, as well as maintenance tools and applications, have undergone many iterations in the past decade, with the introduction of cloud computing and Security Information ...

Strategies for Automating a Cyber ...
on May 8, 2023

Cybersecurity leaders and teams are overburdened by several growing trends and issues. And when your cybersecurity team is overworked and unequipped to manage cyber risk ...

Selecting the Right Cyber Risk ...
on April 13, 2023

Cyber risk quantification is the process of determining the likelihood and potential impact of a cyber attack or security breach. The probability and impact will vary based on ...

Leveraging Cyber Security ...
on May 26, 2023

A common misunderstanding with cyber risk management is that only the CISO and security practitioners should be concerned about cyber and information security. Instead, the state ...

Tips and Tricks to Transform Your ...
on April 12, 2023

Simply being “cyber aware” is an unviable option for board members as the impact of cybersecurity expands beyond IT systems. An unnoticed security gap or dated risk assessment are ...