An IRM Approach to Compliance
In recent history, cybersecurity regulation and the possibility of fines resulting from non-compliance have driven action by CIOs, CISOs, and executive management. The reason is that, up until recently, this was the only direct tie that organizations could see between information security and the bottom line. As we’ve seen in the past few years, that is no longer the case. Information security accounts for many more risks than fines related to non-compliance - data breaches and theft, ransomware, and the resulting breakdown in consumer and vendor trust following an event. This elevation of information security professionals to executive and boardroom level discussions have driven the rise of integrated risk management practices and risk assessment-based approaches to what were once the three siloes of governance, risk, and compliance. Yet, in Gartner’s 2018 CEO Survey, CEOs cited regulations and laws as the primary external factor constraining company growth.
Striking a balance between prioritizing the risks and cyber threats specific to your organization, protecting data, and meeting security practice requirements for seamless operations is a problematic challenge for CISOs looking to adopt a risk-based compliance cybersecurity program.
Building Cybersecurity Compliance Into Your IRM Program
Prioritizing a risk-based approach does not mean that a program abandons compliance. Remember that these compliance regulations are designed to be the baseline requirements for all organizations in a given industry or location based on common cybersecurity risks. A risk-based approach to cyber security and compliance thinking requires a different thought process that is more sustainable and prepares the organization for future regulations as they emerge.
Starting At The Foundation
Your organization’s security team probably already has identified the necessary compliance requirements based on the industry and operating locations. You might already have a process for risk management for information security compliance. The goal here is to meet those requirements while also addressing the possible security breaches and unique risks facing your organization that the regulatory requirement might not cover.
Start by aggregating your information system security requirements - whether you’re a hospital processing sensitive information and must comply with the Health Insurance Portability and Accountability Act (HIPAA) security rule, a financial institution that must meet the Sarbanes Oxley Act, or an e-commerce company that processes credit card data must meet Payment Card Industry Data Security Standard (PCI DSS) requirements and data protection requirements like General Data Protection Regulation (GDPR) for the European Union or the California Consumer Privacy Act (CCPA) for California residents. For the most part, cybersecurity regulations are rooted in a few core frameworks that are so comprehensive that regulators regularly draw from them to create and update regulatory compliance standards.
These core frameworks are:
- International Organization for Standardization (ISO) 27001
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publication 800-53
- Center for Internet Security (CIS) 20
Taking into account which of these framework standards are the drivers for your organization’s compliance requirements (i.e., DFARS for contractors working with defense government agencies is derived from NIST 800-53, NYDFS is derived from the NIST CSF), you can begin to get a sense of which of these core frameworks you should be building your security management system around. While it is never guaranteed that regulatory bodies will pull exclusively from one framework or another, understanding which is a primary driver can put your organization ahead of new regulations before they emerge or before existing ones are updated.
Building to Your Organization
By prioritizing the foundational frameworks, your organization can meet various compliance requirements without duplicating efforts. This approach, coupled with CyberStrong’s ability to clone security assessments for similar assets, has significantly reduced the repeated efforts that many technical and business leaders identify as a hindrance to business growth. Furthermore, as Gartner states, compliance will account for 30% of IRM spending by 2023 - indicating that the management of multiple compliance standards will only become more prevalent for information security leaders and their CEOs and Boards.
By 2023, more than 30% of total organizations’ spending on IRM will be from CCO solutions.
How CyberStrong Enables A Stronger Compliance Program
In 2019 Gartner identified five core capabilities of information security and compliance solutions: policy development and management, investigative case management, workflow and business process management, control assessment and monitoring, and aggregation and normalization. CyberStrong not only enables all of these core capabilities, including workflow automation, continuous monitoring of compliance, and intelligent assessment data aggregation but also addresses areas that Gartner identified as future-facing functionalities for forward-thinking risk and compliance teams:
- Machine learning and natural language to interpret regulations: CyberStrong users can access standard frameworks written in natural language. This enables participation from the right stakeholders, not merely the technical stakeholders who can read the technical framework language.
- Ability to track compliance requirements and map them to existing practices for the purpose of budget allocations that are otherwise deprioritized: CyberStrong teams use our Drill Down functions on our dashboards to visualize gaps in their security and benchmark against the necessary compliance requirements. Further, by using patented AI-backed remediation Optimizations, teams can see which security controls to protect for the lowest cost and highest ROI to determine where to focus the budget.
- Ability to track efforts in compliance activities to track the cost of control testing, compliance audit prep, audit support, and remediation coordination: CyberStrong users monitor a comprehensive list of compliance activities using completion cost fields at the control levels and breaking down specific elements within compliance notes.
Aligning with IRM Practices
The concept of an integrated risk management program and platform is predicated on recombining the siloes of governance, risk, and compliance departments and security and privacy to drive secure business growth in real-time. Network security and compliance can be managed simultaneously under an integrated approach. As we’ve seen, the compliance vs risk-based approach is a critical element that weighs heavily on technical and business leaders' minds.
As we’ve discussed, the most significant friction point for compliance, network security, and meeting compliance requirements are getting ahead of new regulations as they’re released. Taking a foundational approach to compliance frameworks and using CyberStrong to reduce duplicated efforts reduces time to compliance and minimizes the bottleneck traditionally associated with compliance teams protecting and securing critical infrastructure. CyberStrong users consistently report exponential reductions in assessment time, which have facilitated more productive conversations with executive management and enabled secure digital transformation.