As a business professional—especially if you’re responsible for cybersecurity, compliance, organizational resilience or business continuity—you may feel overwhelmed by how much you need to accomplish with limited resources, while stretched for time. All of that’s been further complicated by our “new normal” of managing business with increased challenges created by the coronavirus pandemic.
Because of that, when it comes to compliance and regulatory standards, you may be wondering what you can do that’s “just enough” so you can successfully pass your audits and respond to customer surveys, while not overcommitting and potentially overlooking gaps that may put your organization at additional risk.
So what can you do?
Amidst these pressures, a minimal, fast-as-possible approach may be tempting. If an upcoming audit or certification review requires compliance with a specific set of standards, regulations and protocols, why not do the minimum necessary to check-the-box on those and move on to the hundreds of other tasks at hand?
|About 73% of organizations say that compliance requirements are leading drivers for information security and risk management programs.|
Well, because quite simply, effective security and resiliency go beyond a checkbox approach to compliance.
Bad actors are not taking a minimalist approach and potential threats are constantly evolving. Providing true protection for your organization requires an approach that goes beyond a one-and-done project. Successfully passing an audit and obtaining a certification or attestation is a significant milestone, but it’s also a one-time event. Effective security and compliance is a process that grows and changes over time.
Here are 10 reasons why a checkbox approach to cybersecurity and compliance could be detrimental to your organization:
1. You May Overlook Vulnerabilities
A check-the-box approach can create tunnel vision. You may successfully meet the minimum standards to pass an impending audit, but it may narrow your team’s focus so much, you miss other important security and resiliency issues that put you at greater risk. This approach might accomplish a narrowly defined, short-term goal, but it may also leave gaps and vulnerabilities unexposed, and create increased hurdles for subsequent audits.
2. Compliance Doesn’t Guarantee Effective Cybersecurity
Compliance is only a small part of an overall security and risk program. With a check-the-box approach, you may gain insight into a portion of your cybersecurity posture at a single point in time, but it doesn’t provide a complete picture of your overall status outside the scope of the compliance audit.
A check-the-box approach often fails to go deeper. Here are a few things often missed with this approach:
- What is your security or continuity baseline?
- How might your baseline change over time?
- Will you have more or fewer assets and risks in six months? A year?
- What are your current work processes and data flows, and how might they change as your organization scales?
- Do you know where you create and store all of your protected data?
- Do you know how your protected data flows through all your processes, beyond the scope of the compliance audit?
- Does your check-the-box approach take into account outside sources that might access your data, such as third-party vendors or suppliers?
- Do you have end-to end accountability?
3. Achieving Compliance Does Not Eliminate Risks
Compliance does not necessarily equate to effective cybersecurity, and the process of ensuring compliance may not eliminate key risks. While compliance can help you identify and assess short-term acceptable risk, your organization should have a clear picture of your organizational risk appetite and how that appetite might change over time. And when it comes to risk, it’s not just about one department or team. Risk awareness is for your entire organization—now and in the future.
4. No Change in Program Maturity from Audit to Audit
It might seem reasonable that if you have no new issues from one audit to the next, you’re on the right path. But in reality, it’s more than that. For many auditors, not only do you need to show that you’re continuing to meet the minimum standards at the time of audit, but that you’re maturing processes over time, especially if your organization is changing or scaling during that time.
A set-it-and-forget-it approach is ill-advised. If you adopt a check-the-box compliance strategy—and that strategy doesn’t change or improve from one audit to the next—you may not qualify for the desired certification or attestation following the next audit.
5. Bigger Rewards for the Long Game
Compliance audits are time-consuming and failing to meet standards can be costly for your organization. To avoid the potential business impact of deficiencies exposed in customer surveys, you might be compelled to direct all your energy toward a successful check-the-box strategy to quickly address risks. While that might look like the easiest and fastest approach, you could set your organization up for unforeseen difficulties.
When it comes to compliance and security, consider a sustainable long-game strategy.
Often, when organizations first begin developing compliance, security, or risk management programs, they are compelled to adopt an all-or-nothing approach. They get bogged down in setting up a program that attempts to check every box without regard to compliance levels, organization goals, and future growth and maturity.
Instead of checking off all the boxes at once, many compliance and security frameworks have a basic set of minimum requirements to narrow the scope of the first audit, with the expectation of maturing processes over time, drawing on what was learned in the first review to inform priorities for improvements as the program matures.
A planning horizon that looks beyond the next audit is critical to sustained success. When it comes to compliance don’t just prepare for the one you’re looking at in the near-term. What’s going to happen for your organization next? How do you tackle those issues today and in the future?
6. Your Needs May be Broader Than Compliance
We mentioned earlier that a check-the-box approach to compliance can cause tunnel vision. But beyond that, just being “compliant” for one set of standards or a specific audit may not meet your actual organizational needs.
Often, these needs are much broader, so here are some questions you might ask outside of your compliance standards:
- What are your organizational goals and objectives?
- How do your compliance standards help meet those goals?
- How many compliance or security standards must your organization meet?
- Which additional standards would make our organization more resilient and secure?
- If you have multiple compliance or security frameworks, where do they overlap?
- Do you have duplicated processes or policies from one framework to another?
- How do you manage your frameworks? Are you using manual processes or a platform that enables you to see all of your frameworks and related components in one dashboard?
- Have you mapped all of your security and compliance frameworks to create a lowest common denominator view?
- Can you streamline duplicated processes to be more efficient?
- Do you have the insight needed to draw on what works well for one framework to improve gaps or resolve issues in another?
Here’s an example of how focusing on one framework or compliance checkbox while overlooking others can cause issues in the long run:
Let’s say an organization handles personal health information (PHI) and has an upcoming compliance audit related to the Health Insurance Portability and Accountability Act (HIPAA). So the team gets busy gathering evidence and checking the boxes to ensure they are well poised to pass the HIPAA-related audit.
The organization also accepts credit card payments for PHI-related services. That means compliance with security regulations related to PCI DSS compliance. But, while the team focuses on checking the boxes for HIPAA compliance, and because they haven’t cross-walked HIPAA and PCI frameworks, they may miss some critical PCI requirements while going through HIPAA audit preparation.
7. When It’s Pass or Fail, You May Lack Situational Awareness
Remember earlier when we talked about expanding attack surfaces? Not long ago, a “castle and moat” approach was adequate cybersecurity protection. We just needed to protect our networks, limited hardware, and traditional IT devices. Today, attack surfaces include the cloud, hybrid cloud/on-premises infrastructures, IoT devices, IIoT devices, and SaaS and similar systems, and web apps. When taking a pass-or-fail check-the-box approach to compliance and security practices, the scope may easily become too limited, obscuring visibility to the broader threat scenarios that may pose significant risks.
And, if you’re just seeing compliance as pass or fail, what are you actually learning from your metrics? How can you benchmark your program? How do you know where you’re successful and where you need improvements?
8. Routine Analysis, Not Just Checkbox Reviews
When attack surfaces were smaller (for example, when there were fewer assets such as traditional IT and fewer known vulnerabilities) and potential continuity disruption lists were shorter, we could get by with periodic and infrequent reviews, like an annual audit. But today, there are more assets and vulnerabilities than ever before, and the list of potential disaster or disruption scenarios gets longer by the day. That means to be truly safe and resilient requires more frequent checks or even continuous monitoring of resiliency and security measures.
If you’re just focused on your next checklist for compliance, you could miss key areas such as:
- What changes have occurred since the baseline was established?
- Which new issues (vulnerabilities, risks, standards, disruptions) exist today?
- How many more assets and more asset types are at risk?
- Which new vulnerabilities are related to those assets?
9. It’s Not Someone Else’s Problem
A check-box compliance strategy often places the burden on a single team. For example, accountability for the preparation for a privacy audit might rest solely with the privacy officer, or preparation for a cybersecurity audit may fall to the IT team. This approach can create a culture of “it’s not my problem,” whereas security, compliance, and resiliency should be everyone’s focus. When you’re just checking the box for an audit or review, issues can easily be missed or discovered too late due to a failure to incorporate feedback and responsibilities across all teams with a good understanding of the roles everyone plays in overall success.
10. Compliance Might Not Be Integral to Company Culture
For many organizations, compliance is seen as a necessary evil, similar to an insurance policy – something with an easily calculated cost but no intrinsic value. This usually manifests as the “tone from the top” and permeates the organization. As a result, these organizations become biased toward taking a check-the-box approach to compliance audits, with no quantified justifications for a more comprehensive approach.
Here are some of the key issues that can arise when compliance and security aren’t part of your corporate culture:
- Lack of executive support
- No key stakeholder buy-in
- Lack of program ownership
- Lack of understanding of how individual roles contribute to overall compliance and security success
- Challenges identifying gaps before a disruption or breach occurs
- Lackadaisical approach toward compliance and security when auditors aren’t conducting an active assessment
With an impending audit in this type of environment, you may have no choice but to tactically prepare for the short-term to achieve a positive outcome. Then you can build on the momentum to focus energy on improving your program and strengthening your processes on an ongoing and continual basis.
Evolving Beyond a Check-the-Box Approach
Many of the risks associated with a check-the-box approach are self-evident, yet this approach to cybersecurity and compliance is far too common. Cybersecurity initiatives currently underway with the U.S. Department of Defense (DoD) provide a timely example of the prevalence and risks of a check-the-box approach to cybersecurity and compliance.
Previously, contractors and subcontractors in the Defense Industrial Base (DIB) were trusted to self-assess and report their cybersecurity compliance status based on NIST 800-171. Random independent assessments revealed that many organizations in the DIB that had self-attested to compliance with NIST 800-171 protocols were in fact, taking a check-the-box approach and out of compliance with the regulation.
Because of the significant gaps and growing concerns of terrorist cyber-attacks, a new Cybersecurity Maturity Model Certification (CMMC) program is in development. This program will implement mandatory third-party certification assessments to eliminate a check-the-box approach to cybersecurity and compliance for more than 300,000 organizations in the DIB and ensure that comprehensive, effective measures are put into practice.
Some organizations in the DIB see this as unnecessary overhead and are taking a wait-and-see approach as CMMC is rolled out. Others are being proactive and preparing for the new assessment and certification process. Not surprisingly, those taking a proactive approach are seen as less risky and more attractive as partners in the DIB supply chain. These organizations are already winning more contracts and growing faster than their competitors taking a wait-and-see approach.
These same organizations are also learning that CMMC and other cybersecurity mandates need not create additional overhead. A robust platform such as Apptega can streamline cybersecurity and compliance management and yield a significant return on investment compared to manual methods and tools.
If you need help streamlining your compliance processes and managing your frameworks, but are unsure where to start, our advisors at Apptega can help you get started on your compliance journey—or help you make stronger long-term plans for the future. Or, if you’d like to see Apptega in action, check out one of our on-demand demos here.