<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

An IRM Approach to Compliance

 

In recent history, cybersecurity regulation and the possibility of fines resulting from non-compliance has driven action on the part of CIO’s, CISO’s, and executive management. The reason is that, up until recently, this was the only direct tie that organizations could see between information security and the bottom line. As we’ve seen in the past few years, though, that is no longer the case. Information security accounts for many more risks than fines related to non-compliance - data breaches and theft, ransomware, and the resulting breakdown in consumer and vendor trust following an event. This elevation of information security professionals to executive and boardroom level discussions has driven the rise of integrated risk management practices and risk assessment based approaches to what were once the three siloes of governance, risk and compliance. Yet, CEOs in Gartner’s 2018 CEO Survey cited regulations and laws as the primary external factor constraining company growth. 

 

Striking a balance between prioritizing the risks and cyber threats specific to your organization as well as protecting data and meeting security practice requirements for seamless operations is a problematic challenge for CISOs looking to adopt a risk-based compliance cybersecurity program. 

Building Cybersecurity Compliance Into Your IRM Program

 

Prioritizing a risk-based approach does not mean that a program abandons compliance. Remember that these compliance regulations are designed to be the baseline requirements for all organizations in a given industry or location based on common cybersecurity risks. Risk-based approach to cyber security and compliance thinking requires a different thought process; one that is more sustainable and prepares the organization for future regulations as they emerge. 

 

Starting At The Foundation

 

Your organization’s security team probably already has identified the necessary compliance requirements based on the industry and operating locations. You might already have a process in place for information security compliance risk management. The goal here is to be able to meet those requirements while also addressing the possible security breaches and unique risks facing your organization that might not be covered by the regulatory requirement. 

 

Start by aggregating your information system security requirements - whether you’re a hospital processing sensitive information and must comply with the Health Insurance Portability and Accountability Act (HIPAA) security rule, a financial institution that must meet the Sarbanes Oxley Act, or a ecommerce company that processes credit card data must meet Payment Card Industry Data Security Standard (PCI DSS) requirements and data protection requirements like General Data Protection Regulation (GDPR) for the European Union or the California Consumer Privacy Act (CCPA) for California residents. For the most part, cybersecurity regulations are rooted in a few core frameworks that are so comprehensive that regulators regularly draw from them to create and update regulatory compliance standards. 

 

These core frameworks are:  

  • International Organization for Standardization (ISO) 27001
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • NIST Special Publication 800-53
  • Center for Intenet Security (CIS) 20 

 

Taking into account which of these framework standards are the drivers for your organization’s compliance requirements (i.e., DFARS for contractors working with defense government agencies is derived from NIST 800-53, NYDFS is derived from the NIST CSF), you can begin to get a sense of which of these core frameworks you should be building your security management system around. While it is never guaranteed that regulatory bodies will pull exclusively from one framework or another, understanding which is a primary driver can put your organization ahead of new regulations before they emerge or before existing ones are updated. 

 

Building to Your Organization 

 

By prioritizing the foundational frameworks, your organization can meet a swath of compliance requirements without duplicating efforts. This approach, coupled with CyberStrong’s ability to clone security assessments for similar assets, has been shown to significantly reduce the repeated efforts that many technical and business leaders identify as a hindrance to business growth. Furthermore, as Gartner states, compliance will account for 30% of IRM spending by 2023 - indicating that the management of multiple compliance standards will only become more prevalent for information security leaders as well as their CEOs and Boards. 

 

By 2023, more than 30% of total organizations’ spending on IRM will be from CCO solutions.

 

How CyberStrong Enables A Stronger Compliance Program

 

In 2019 Gartner identified five core capabilities of information security and compliance solutions: policy development and management, investigative case management, workflow and business process management, control assessment and monitoring, and aggregation and normalization. CyberStrong not only enables all of these core capabilities including workflow automation, continuous monitoring of compliance, and intelligent assessment data aggregation but also addresses areas that Gartner identified as future-facing functionalities for forward-thinking risk and compliance teams:

 

  • Machine learning and natural language to interpret regulations: CyberStrong users have access to a group of standard frameworks written in natural language. This enables participation from the right stakeholders, not merely the technical stakeholders who can read the technical framework language. 
  •  Ability to track compliance requirements and map them to existing practices for the purpose of budget allocations that are otherwise deprioritized: CyberStrong teams use our Drill Down functions on our dashboards to visualize gaps in their security and benchmark against the necessary compliance requirements. Further, by using patented AI-backed remediation Optimizations, teams can see which security controls to protect on for lowest-cost and highest-ROI to determine where to focus budget. 
  • Ability to track efforts in compliance activities in order to track the cost of control testing, compliance audit prep, audit support, and remediation coordination: CyberStrong users monitor a comprehensive list of compliance activities using completion cost fields at the control levels and breaking down specific elements within compliance notes. 

Aligning with IRM Practices

 

The concept of an integrated risk management program and platform is predicated on recombining the siloes of governance, risk, and compliance departments alongside security and privacy as a means to drive secure business growth in real time. Network security and compliance can be managed simultaneously under an integrated approach. As we’ve seen, a compliance vs risk based approach is a critical element and one that is weighing heavily on the minds of technical and business leaders alike. 

 

As we’ve discussed, the most significant friction point for compliance, network security, and meeting compliance requirements is getting ahead of new regulations as they’re released. Taking a foundational approach to compliance frameworks as well as using CyberStrong to reduce duplicated efforts not only reduces time to compliance but also minimizes the bottleneck traditionally associated with compliance teams protecting and securing critical infrastructure. CyberStrong users consistently report exponential reductions in assessment time, which have facilitated more productive conversations with executive management and enabled secure digital transformation.

You may also like

How Does FAIR Fit into ...
on September 26, 2022

The Factor Analysis of Information Risk (FAIR) methodology breaks down risk into elements that organizations can compute, understand, analyze and quantify cyber threats and their ...

All-in-One Cybersecurity Board ...
on September 19, 2022

CISOs and Board Members can no longer ignore the importance of cybersecurity. New cyber attacks and threats surface every week and threaten the security of business operations. ...

Rules for Effective Cyber Risk ...
on September 12, 2022

Cybersecurity threats are becoming more challenging for businesses. According to PurpleSec’s Cyber Security Trend Report in 2021, cybercrime surged by 600% during the pandemic, ...

A Pocket Guide to Factor Analysis ...
on September 14, 2022

FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help businesses evaluate information risks. FAIR is the only international ...

Your Guide to Cyber Risk ...
on August 30, 2022

During the pandemic, online businesses flourished as people turned to e-commerce stores to shop from the comfort and safety of their homes. This unprecedented expansion of ...

Pros and Cons of Continual ...
on July 22, 2022

The cybersecurity landscape is constantly changing with the hackers that threaten this industry continually advancing their attack techniques. According to the Sophos 2022 Threat ...