The Role Of Cyber Security In Compliance
Compliance needs to be viewed as a continuous, organizational process and not a reactive response, according to Cyber Security Hub’s recently released report Decreasing Risk Through Enterprise Compliance. As a myriad of industry regulations and legislation have increased complexity in C-suite decision making, CISOs must educate executives on new and evolving risks and why investments in cyber security are more critical than ever.
The desire is there. Business leaders want to understand cyber risk at a high level as it relates to overall business processes, so cyber security teams need to do a better job translating security data into business metrics, according to the 2019 ESG report, The Pressing Need For Comprehensive Cyber Risk Management.
By aligning security programs with business objectives, CISOs have an opportunity to lead their organizations and ensure cyber security and compliance go hand in hand, the enterprise compliance report said.
Governance, risk management and compliance
Because compliance and risk should go hand in hand, organizations should consider implementing a governance, risk management and compliance (GRC) program to help improve information sharing among the three disciplines.
“There is a symbiotic relationship between compliance and risk mitigation,” said ESG Global Senior Principal Analyst Jon Oltsik. “As compliance standards get tougher, it also helps to further monitor, manage and mitigate risk.” A risk management program can address real-time requirements, monitor dynamic changes, analyze data and make mitigation decisions while priorities and timing change, Oltsik said.“I don’t think compliance will ever keep up with this pace, but real-time, cyber risk management will certainly help organizations better monitor, manage, and audit compliance initiatives as well,” he added.
The compliance aspect of GRC defines how an organization conforms to stated requirements. Management processes identify the applicable requirements and consider the role of legislation, industry regulations and company policies, according to the enterprise compliance report. Processes also must be implemented to assess the state of compliance. Then a gap analysis can be conducted to identify the risk and potential costs associated with achieving compliance vs. the risks and potential costs for non-compliance. The outcome of this exercise informs the business about prioritizing any corrective actions, the enterprise compliance report said.
The good news is a 2019 ESG survey found the vast majority of organizations expect to increase spending on cyber risk management in the next year. But with that comes the need for security leaders to provide greater visibility to business leaders and board members, ESG stressed. This may be accomplished through a combination of additional communications, continuous monitoring, defined metrics, and more expansive cyber security programs, the firm said.
The role of cyber security in compliance
Organizations risk fines and penalties for not following laws and regulations. Internal policies combined with state and federal laws are necessary to achieve compliance. Governance ensures employees, employees, officers and partners of an organization are fully aware of compliance policy.
Just as risk assessments are implemented in other aspects of cyber security, when used in compliance, they raise awareness of the potential for a data incident and its impact on an organization, the enterprise compliance report states. These assessments can be presented to executives and boards to effectively illustrate the risks associated with cyber threats.
Industries perceived as having lower risk to threats or organizations with fewer resources may not prioritize compliance programs and instead focus on targeted security programs. For example, an organization may invest in security awareness training for the workforce rather than endpoint defense strategies. However, this trade-off increases organizational risk and creates potential vulnerabilities that go unchecked.
In contrast, a compliance program requires guidelines for asset protection that might otherwise increase risk. Partnerships among key business stakeholders such as compliance, legal, IT and privacy are critical to the success of cyber security.
“Security leaders should always work with their overall risk management or risk officers that have the duty of identifying overall risk of the organization,” said Jothi Dugar, CISO of the NIH Center for Information Technology.
Regulatory compliance frameworks
There are a multitude of established regulatory compliance frameworks that can help an organization tie its processes to established industry requirements, specifications and government legislation. CISOs and other cyber security professionals need to determine their organizations’ specific needs to match them to the appropriate framework.
The report lists several, along with the role cyber security professionals play in each framework. They include:
• PCI DSS
• ISO/IEC 27000
But as NIH’s Dugar points out, “merely complying with a framework does not add value to the organization.”
Cyber security as an opportunity – not an obligation
Today, there is really no such thing as a non-regulated industry but there are under-regulated industries, said data privacy and cyber security law expert Jamal Hartenstein.
So it behooves cyber security leaders to approach regulatory compliance as a business opportunity instead of an obligation. “This means turning compliance into a competitive advantage, getting ahead of industry competition before underregulated industries become regulated,” said Hartenstein.
Cyber security leaders can support compliance with currently under-regulated industry guidelines by adhering to frameworks, he advised. “This will decrease the cost of compliance efforts in the future when legislators catch up, and it will prepare them, so the bite doesn’t hurt their pockets so much once regulations gain teeth.”
The value of third-party partnerships in compliance
An independent, external assessment helps organizations demonstrate transparency in their regulatory compliance programs. In fact, cyber security expertise specific to the organization’s industry was the leading response in a recent survey of security leaders identifying the most important quality of an enterprise-class vendor, according to Doug Cahill, vice president and cyber security group director for ESG Global.
When third parties are brought in to conduct a compliance and security assessment of what an organization has in place, they are able to suggest mitigations without bias, the cyber risk management report states.
The enterprise compliance report also cites best practices from industry experts for integrating cyber security into compliance programs. For more information, download the entire report here.