Compliance requirements are designed to increase cybersecurity transparency and accountability. As cyber threats increase, so does the number of compliance frameworks and the specificity of the security controls, policies, and activities they encompass.
For CISOs and their teams, this means compliance is a time-consuming, high-risk process that requires strong organizational and communication skills in addition to security expertise.
We engaged a think tank of CISOs to get their views on the best ways to meet data security and privacy compliance requirements. In this blog, they share strategies to make dealing with the compliance process less painful, including risk management and stakeholder coordination.
Read our recommendations for transforming compliance from a necessary evil into a strategic tool to help you assess cyber risk, secure budget and support, and increase customer and shareholder confidence.
Which CISOs are most concerned about compliance?
CISOs’ views on cybersecurity compliance can vary widely depending on their company size, geography, industry, data sensitivity and project maturity level. For example, if you are a public company in the United States, you will have no choice but to comply with multiple regulations and maintain risk assessments and corrective action plans.
If you are a government agency or sell to a government agency, you need to meet specific public sector compliance requirements. Banks, healthcare organizations, infrastructure, e-commerce companies, and other businesses all have industry-specific compliance rules that they need to adhere to.
Safety does not equal compliance.
Even if you don’t fall into one of these categories, there are many reasons why you need to demonstrate security best practices, such as seeking SOC certification or applying for cybersecurity insurance. For all organizations, broad cybersecurity compliance frameworks such as NIST CSF and ISO provide a model to follow and a structure for communicating results.
In other words, “security does not equal compliance” is a mantra often heard among CISOs. Of course, just because you’re compliant, doesn’t mean you’re safe. Highly mature cybersecurity organizations may view compliance as a bare minimum and go well beyond the components needed to protect their organization.
Compliance as a business enabler
While CISOs can recommend cybersecurity investments and practices to meet compliance requirements, they are not the final decision-makers. Therefore, a key responsibility of the CISO is to communicate non-compliance risks and work with other company leaders to decide which measures to prioritize. In this case, risks include not only technical risks but also business risks.
Former Levi Strauss CISO Steve Zalewski likes to use the “carrot and stick” metaphor. “Historically, audit and compliance have been the stick that makes you have to do something,“He shared on the Defense in Depth Podcast,”But make [you] Doing so does not mean the business is aligned with the value of doing so.“To avoid friction, he recommends showing people the business value of compliant cybersecurity.”There must be a carrot component that makes them feel like they have a choice in the matter,” He said.
Leadership must weigh the costs and benefits of ensuring compliance against the potential costs of non-compliance
Suppose an organization does not fully meet security best practices for permissions management. While noncompliance can result in regulatory fines and shareholder lawsuits, potential security breaches can have a greater impact on the business, including downtime, ransomware payments, and lost revenue. On the other hand, meeting compliance requirements can deliver business value, such as faster sales, stronger partnerships, or lower cyber insurance rates.
As part of a comprehensive risk management plan, boards and executive leadership must weigh the costs and benefits of ensuring compliance against the potential costs of noncompliance. In some cases, they may decide that a certain level of risk is acceptable and choose not to implement additional safeguards. In other cases, they might double down.
How CISOs use compliance frameworks to plan cybersecurity roadmaps
Some CISOs use compliance frameworks as a methodology for technologies and processes to incorporate into their cybersecurity programs. Essentially, they inform project priorities and create a shopping list of must-have solutions that are consistent with the project they are trying to build.
On the Audience First podcast, former Fortune 500 CISO Brian Haugli sees the difference between relying on compliance and using a compliance framework to guide informed risk management.
“We cannot be black and white. We have to be able to make risk-based decisions, which is, ‘I’m going to accept this risk because I can’t afford to close it right now. But I do these things to reduce the risks to a low enough level that I can live with them.“
CISOs need compliance partners
CISOs are involved in more than just compliance. They must develop partnerships with legal teams, privacy officers, and audit or risk committees to understand changing compliance requirements and determine how to address them.
Sometimes these internal partners require security teams to implement stronger controls, but they can also pause. As one CISO of a rapidly growing technology vendor told us, “Frankly, the law is more important than me every day of the week. They told me what I could and couldn’t do. I’d like to be able to monitor everyone’s behavior, but privacy laws say I can’t.“
Compliance teams do many things that security engineers and analysts don’t have the time or resources to do. They hold security accountable and double-check that controls are working as expected. They act as an intermediary between security teams, regulators and auditors to demonstrate compliance, whether that means gathering evidence through manual security questionnaires or through technology integration.
For example, for public sector certification, security controls need to be monitored, documented and data retained for at least six months to prove they have done what they say they do.
Tools and resources to support compliance
A risk register helps coordinate all stakeholders by recording all risks and organizing them in order of priority. When everyone is viewing the same information, you can agree on appropriate actions. As part of the risk management plan, policies, standards and procedures are regularly reviewed and any changes approved before implementation.
Using tools such as GRC systems and continuous compliance monitoring, organizations can track ongoing security activities and report the results. GRC systems can be linked to the SIEM to collect logs and vulnerability scanners to show that checks have been completed. “Instead of haphazardly organizing spreadsheets, we built various connectors that integrate with the GRC platform to demonstrate our compliance.“Technical CISO explains.”They draw various certifications on a piece of glass, so when the auditors come in, we show them a screen that says, “Here’s the evidence.”‘”
In addition to tools, many companies rely on third parties to conduct compliance assessments. They may conduct internal compliance audits before external compliance audits to ensure there are no surprises when regulators visit.
Comply once, apply many times
Most organizations must answer to numerous compliance agencies as well as cyber insurance providers, customers and partners. While compliance can be a burden, the good news is there are technologies that can streamline the assessment process. “If you look at all the major compliance agencies, about 80% of the requirements are the same,” said the CISO of a SaaS provider. 「You can align with frameworks like NIST and apply the same practices across all frameworks.“
For example, privileged access management (PAM) requirements such as password management, multi-factor authentication (MFA), and role-based access control are common in compliance frameworks. You can learn more about PAM’s specific role in various compliance requirements on Delinea.com.
Emerging Compliance Requirements
Compliance is a fluid space, with requirements constantly changing in response to changing risk patterns and business conditions. CISOs are looking to compliance agencies for guidance on managing emerging cyber risks, such as artificial intelligence.
Going forward, CISOs expect ensuring compliance will become an even more important part of their job. As the industry faces growing threats, compliance is a key part of a strategic and comprehensive approach to cybersecurity risk management.
For more information on this topic, check out Delinea’s 401 Access Denied podcast episode: Ensuring Compliance: Expert Insights from Steven Ursillo
Need a step-by-step guide to planning your journey into a privileged access security strategy?
Get started with a free, customizable PAM checklist.
4 Comments
Pingback: A CISO’s perspective on compliance with cybersecurity regulations – Tech Empire Solutions
Pingback: A CISO’s perspective on compliance with cybersecurity regulations – Mary Ashley
Pingback: A CISO’s perspective on compliance with cybersecurity regulations – Paxton Willson
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://accounts.binance.com/ro/register-person?ref=V3MG69RO