Blog post originally posted on MSSP Alert
Traditionally, compliance and security teams have worked independently, often in silos with separate budgets and disparate data and tools, making collaboration and effective decision-making difficult, if not impossible.
When compliance laser-focuses on checklists and regulations, and security keeps its eyes down on the technical specifics, critical information is often lost between the two, inadvertently introducing unseen — and often unmitigated — risks.
Yet, try as these two disciplines may to operate independently, the reality is their interdependencies have always linked them.
Or, at least they should be linked. They need to be linked. Joined at the hip.
Now, more than ever, it’s increasingly imperative to break down these silos and encourage security and compliance to work together.
Because today organizations face more threats than ever before and attackers are getting increasingly sophisticated and aggressive in taking advantage of these weaknesses.
Big Business for Attackers Isn’t Just for Big Business
These traditional program disconnects, which might have previously been considered a problem just for big companies, also create risk for small and mid-size businesses (SMBs). That’s the same for organizations whether they are just beginning their cybersecurity and compliance journeys or those that are more mature in their GRC efforts.
And if the risk landscape weren’t already challenging enough, there’s also increased regulatory pressure with more compliance and cybersecurity mandates, expanding attack surfaces, more attack vectors, tighter budgets, and smaller staff created by recent cutbacks and layoffs.
On top of that, customers, executives, and key stakeholders are more engaged, wanting to know how their favorite brands and companies manage security and compliance. Ultimately, they want to know you’re doing what you’re supposed to do and keeping their sensitive and protected data safe.
More regulations, more guidelines, and more expectations all mean more data your teams have to collect, store, and analyze.
So, how do you get the most out of security and compliance working together? Here are 5 ways your organization can increase efficiency, save money, and meet increased regulatory demands and customer expectations.1. Use cybersecurity best practices to help meet compliance requirements.
Implementing cybersecurity best practices, such as adopting industry-recognized frameworks and controls, can help your organization meet, and often exceed, compliance requirements.
And while great security often means compliance, unfortunately, compliance doesn’t always equal great security. That’s why, in terms of efficiencies and cost-savings, it may be beneficial to approach both from a security-first perspective.
Or, in other words, make it a priority to integrate cybersecurity practices into the core of your business.
To do that effectively, you can no longer approach either from a traditional checklist or audit-looming standpoint. Instead, think of security and compliance as ongoing, continuous processes that work together but also need specialized focus and management.
The benefit? You’ll have more insight into program interdependencies. That insight should illuminate where you have overlaps and are doing duplicate work so you can automate and streamline tasks to decrease errors and increase efficiency. This will become increasingly important as your operations scale and the volume of projects your security and compliance teams manage increases. It should also help you identify gaps that need your attention before attackers can take advantage of them.
Yet, even with a security-first approach, you’ll still have a long list of items your teams need to prioritize based on your organization’s unique needs and requirements. How do you do that? This is where compliance can help.
For example, use compliance metrics (such as real-time framework compliance scoring) and risk ratings (the potential impact of a risk on critical operations) to determine which security activities to focus on first.
By taking a security-first approach, you should quickly reap the benefits of new efficiencies, including the ability to document what your team members need to do, when they should do it, and who should be accountable. This can drive collaboration beyond security and IT into other key operational areas and help your teams better harness, evaluate and share data, increasing transparencies around security and compliance.2. Use frameworks as baseline security playbooks.
Compliance can be used as a cyber playbook. How? You can use frameworks as a baseline to build project plans around your security program with a lot of options. You can do exactly what the framework entails for compliance or even further mature your program by adding additional controls to your organization’s unique needs and environment.
A PwC market study says that today about 95% of organizations follow at least one security framework (e.g. SOC 2, GDPR). At Apptega, 83% of our customers use more than one framework, with the average using two or three simultaneously.
Typically, organizations implement frameworks based on business needs and government or industry regulations. Here are 10 of the most common:
- NIST Cybersecurity Framework (CSF) CSF: While developed for critical infrastructure, many organizations outside of that are using NIST CSF as best practice, especially large enterprises.
- ISO 27001: The most well-known and adhered-to framework for information security management systems, it is commonly used by organizations such as law firms, insurance entities, accounting firms, and others. It’s a solid framework for information security and works well with other frameworks such as CIS.
- SOC 2: Generally for organizations that do business in the cloud. It’s also beneficial for auditing vendors along your supply chain.
- PCI: PCI focuses on financial services, credit cards, and payments. Because an increasing number of organizations are getting into payment services, this is a good framework to consider.
- NIST 800-171: Good for organizations doing business with the U.S. Department of Defense (DoD).
- CMMC: Required for many organizations doing business with DoD. Interestingly, CMMC, when the final version comes to fruition, may impact more than 350,000 businesses.
- HIPAA: For healthcare organizations to manage privacy and security of personal health information (PHI) and other sensitive data.
- CIS v8: Best practices to protect your organization from cyber threats.
- General Data Protection Regulation (GDPR): Regulates how organizations that do business in the European Union (EU) and meet specific standards must manage and protect personal data.
- California Consumer Privacy Act (CCPA): Affects organizations that collect or store data about California residents.
When you’re thinking about ways compliance and security can better work together, think in terms of automation. With a security and compliance automation platform, you can accomplish more with fewer resources, and limit the risk of human error.
Though these platforms are becoming widely available at affordable prices, many organizations are still stuck in the “old way” of managing security and compliance by building out extensive spreadsheets that reflect framework controls that must be met and then manually updating word processing documents. Is there a better way?
By embracing task automation, building a solid compliance and security program can be easy for any organization of any size. It moves program development and management away from something only the security or IT team can do and opens up valuable collaboration opportunities across your organization, including from critical teams such as legal and HR, which have traditionally been overlooked within security and compliance silos.
Sometimes, large enterprises let each division run its own security and compliance frameworks, with one team not fully sure what another team is doing. By using a multi-tenant security and compliance platform, everyone on your team will have insight into what each other is doing and you can eliminate duplicate control and sub-control work – including controls that are similar from one framework to another – by unifying your programs in a single platform.
What’s that look like in a real-world example? One Apptega customer, Kalahari Resorts, manages frameworks for PCI, HIPAA, and SOC. If the company were to manage all of the control families from all of these frameworks, employees would be responsible for managing 60-70 control families. However, with Apptega automation, they’ve been able to manage the program down to 18 control families that satisfy all three frameworks. Want to take a deeper dive into how they’re doing it? Check out this case study.4. Consolidate your vendors and make your CFO happy by spending less and increasing efficiencies.
In this economy, many organizations are looking at tightening their budgets and consolidating vendors.
But that can be difficult to do given the number of cybersecurity and compliance tools on the market today.
How do you know which ones you need, and how to take full advantage of the ones you already have?
Look for tools you can successfully map to your security and compliance program. Also, seek out a security and compliance automation platform that integrates with those tools so you can pull all relevant data into one place. Why is this important? A centralized dashboard provides continuous insight into how your frameworks and controls perform in real-time. This can also help your teams quickly identify what’s not working so they can fix it before attackers take advantage of your weaknesses.
In the end, you may discover you don’t actually need all of the technologies that are in your current stack, and with the automation support, you may be able to decrease the number of tools you manage.5. Cyber insurance is an emerging driver for robust compliance and security programs.
Cyber insurance is getting increased attention across most industries. That’s because, as more and more organizations grapple with breaches, cyber insurers are getting increasingly strict about what evidence they’re requiring from insureds to approve claim payouts.
The cyber insurance industry is rapidly changing. Companies are no longer just asking a few questions about your program. They’re wanting to see more of your data. If you don’t have all of your security and compliance records in one place, like within a framework management platform, it will be increasingly challenging to meet their requirements and obtain coverage.
It wouldn’t be surprising to some day see cyber insurers monitoring security and compliance in real-time — similar to how auto insurers track driving with devices and apps. Instead of what’s commonly happening now — where you can often offer up a checklist of controls and frameworks — in the future, cyber insurers may also require you to demonstrate your controls and frameworks function as intended.
Consider what that would look like for your organization. Do you have a security and compliance platform ready to help you on this journey? If you have a central repository for all your data, you can more easily show it to third parties like insurers and auditors, as well as your customers, vendors, executives, and other partners.
Want to see how Apptega can help your organization break down the silos between compliance and security to increase efficiencies while cutting costs? See Apptega in action for yourself.