An IRM Approach to Compliance
In recent history, cybersecurity regulation and the possibility of fines resulting from non-compliance has driven action on the part of CIO’s, CISO’s, and executive management. The reason is that, up until recently, this was the only direct tie that organizations could see between information security and the bottom line. As we’ve seen in the past few years, though, that is no longer the case. Information security accounts for many more risks than fines related to non-compliance - data breaches and theft, ransomware, and the resulting breakdown in consumer and vendor trust following an event. This elevation of information security professionals to executive and boardroom level discussions has driven the rise of integrated risk management practices and risk assessment-based approaches to what were once the three siloes of governance, risk, and compliance. Yet, CEOs in Gartner’s 2018 CEO Survey cited regulations and laws as the primary external factor constraining company growth.
Striking a balance between prioritizing the risks and cyber threats specific to your organization as well as protecting data and meeting security practice requirements for seamless operations is a problematic challenge for CISOs looking to adopt a risk-based compliance cybersecurity program.
Building Cybersecurity Compliance Into Your IRM Program
Prioritizing a risk-based approach does not mean that a program abandons compliance. Remember that these compliance regulations are designed to be the baseline requirements for all organizations in a given industry or location based on common cybersecurity risks. A Risk-based approach to compliance requires different thinking, though; one that is more sustainable and prepares the organization for future regulations as they emerge.
Starting At The Foundation
Your organization's security team probably already has identified necessary compliance requirements based on the industry and operating locations. You might already have a process in place to meet those requirements. The goal here is to be able to meet those requirements while also addressing the possible security breaches and unique risks facing your organization that might not be covered by the regulatory requirement.
Start by aggregating your information system security requirements - whether you’re a hospital processing sensitive information and must comply with the Health Insurance Portability and Accountability Act (HIPAA) security rule, a financial institution that must meet the Sarbanes Oxley Act, or an e-commerce company that processes credit card data must meet Payment Card Industry Data Security Standard (PCI DSS) requirements and data protection requirements like General Data Protection Regulation (GDPR) for the European Union or the California Consumer Privacy Act (CCPA) for California residents. For the most part, cybersecurity regulations are rooted in a few core frameworks that are so comprehensive that regulators regularly draw from them to create and update regulatory compliance standards.
These core frameworks are:
- International Organization for Standardization (ISO) 27001
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publication 800-53
- Center for Internet Security (CIS) 20
Taking into account which of these framework standards are the drivers for your organization’s compliance requirements (i.e., DFARS for contractors working with defense government agencies is derived from NIST 800-53, NYDFS is derived from the NIST CSF), you can begin to get a sense of which of these core frameworks you should be building your security program around. While it is never guaranteed that regulatory bodies will pull exclusively from one framework or another, understanding which is a primary driver can put your organization ahead of new regulations before they emerge or before existing ones are updated.
Building to Your Organization
By prioritizing the foundational frameworks, your organization can meet a swath of compliance requirements without duplicating efforts. This approach, coupled with CyberStrong’s ability to clone security assessments for similar assets, has been shown to significantly reduce the repeated efforts that many technical and business leaders identify as a hindrance to business growth. Furthermore, as Gartner states, compliance will account for 30% of IRM spending by 2023 - indicating that the management of multiple compliance standards will only become more prevalent for information security leaders as well as their CEOs and Boards.
By 2023, more than 30% of total organizations’ spending on IRM will be from corporate solutions. - Gartner
How CyberStrong Enables A Stronger Compliance Program
In 2019 Gartner identified five core capabilities of information security and compliance solutions: policy development and management, investigative case management, workflow and business process management, control assessment and monitoring, and aggregation and normalization. CyberStrong not only enables all of these core capabilities including workflow automation, continuous monitoring of compliance, and intelligent assessment data aggregation but also addresses areas that Gartner identified as future-facing functionalities for forward-thinking risk and compliance teams:
- Machine learning and natural language to interpret regulations: CyberStrong users have access to a group of standard frameworks written in natural language. This enables participation from the right stakeholders, not merely the technical stakeholders who can read the technical framework language.
- Ability to track compliance requirements and map them to existing practices for the purpose of budget allocations that are otherwise deprioritized: CyberStrong teams use our Drill Down functions on our dashboards to visualize gaps in their security and benchmark against the necessary compliance requirements. Further, by using patented AI-backed remediation Optimizations, teams can see which security controls to focus on for lowest-cost and highest-ROI to determine where to focus budget.
- Ability to track efforts in compliance activities in order to track the cost of control testing, audit prep, audit support, and remediation coordination: CyberStrong users monitor a comprehensive list of compliance activities using completion cost fields at the control levels and breaking down specific elements within compliance notes.
Aligning with IRM Practices
The concept of an integrated risk management program and platform is predicated on recombining the siloes of governance, risk, and compliance departments alongside security and privacy as a means to drive secure business growth in real time. As we’ve seen, a compliance vs risk based approach is a critical element and one that is weighing heavily on the minds of technical and business leaders alike.
As we’ve discussed, the most significant friction point for compliance teams and meeting compliance requirements is getting ahead of new regulations as they are released. Taking a foundational approach to compliance frameworks as well as using CyberStrong to reduce duplicated efforts not only reduces time to compliance but also minimizes the bottleneck traditionally associated with compliance teams protecting and securing critical infrastructure. CyberStrong users consistently report exponential reductions in assessment time, which have facilitated more productive conversations with executive management and enabled secure digital transformation.