In many companies, compliance is the main objective of the cybersecurity department. For some, it’s the only reason to invest in cybersecurity. Compliance with specific regulations is mandatory for many organizations depending on their line of business. Does your company handle credit card data? Then PCI-DSS is non-negotiable. Do you have personal data from EU citizens? GDPR is a must. Are you dealing with health data within the US? Welcome to the kingdom of HIPAA. Furthermore, you might want to obtain an ISO certification or a SOC2 report to demonstrate your security commitment and drive sales.
However, it’s widely recognized that compliance doesn’t automatically equal security. So, it’s crucial for cybersecurity teams working towards compliance to seize this opportunity to enhance their overall cybersecurity. But how can we make compliance a catalyst for better cybersecurity? Let’s delve into some practical strategies to do just that.
First, let's understand why compliance differs from security and why a company that adheres to various laws, standards, or frameworks might not be secure.
Compliance vs. Rapid Tech Advancements
Compliance frameworks can’t stay updated with the latest technological advancements and cyber threats. Although these laws, standards, or frameworks are periodically updated, the pace at which they are updated often falls short because technology, hacking techniques, and cyber threats evolve rapidly. Sometimes, during an audit of a new technology, we might find that the controls are inappropriate or that previously valid controls are now obsolete. For example, in the past, several frameworks required users to change their passwords periodically. At the same time, NIST Special Publication 800–63B recommended moving away from forced password changes at predefined intervals.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Flexibility and Interpretation
No compliance framework covers every aspect of cybersecurity, or examines the details of every technology. Due to the rapid evolution of technology and the vast number of technologies, frameworks only focus on specific areas and often offer flexibility for the implementer to choose appropriate security measures. For example, Article 5(1)(f) of the GDPR stipulates that personal data shall be:
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Companies or individuals may interpret this mandate differently, implementing unique solutions to defend against unauthorized or unlawful processing. Despite this, it’s important to note that these interpretations and the implemented solutions may not always be the most effective for ensuring security.
The Blind Spots of Audits
Auditors also often have a specific scope within which they operate. This means they may only examine certain aspects of an organization’s operations, potentially leaving vulnerabilities or compliance gaps outside the audit’s scope. Likewise, audits are time-bound and resource-constrained, which can limit the depth of analysis and investigation into potential issues; some may go unnoticed.
Having understood why compliance doesn’t correlate to security, let’s explore how we can improve our security while navigating our path to compliance.
Communication Over Imposition
“This change is required because of compliance.” We might be tempted to impose changes required by laws, regulations, standards, or frameworks on other teams and argue that the change is necessary for compliance. While this may facilitate compliance, it doesn’t enhance security. Building a good relationship with other departments is a crucial part of security; Other departments can assist in resolving security issues and keep you informed about new actions that might require attention. We may alienate other departments if we enforce changes without sufficient justification. Therefore, when requesting changes for compliance, we should explain the rationale behind the changes. This fosters collaboration, creativity, and project ownership. We’re more likely to secure better cooperation if we articulate how these changes benefit the business. As I wrote here, cybersecurity is here to help, and we have to be the bridge between complex security problems and practical solutions.
Balancing Risk with Business Impact
Assess the risks the compliance requirements are addressing and prioritize those most critical to the business. Implement the controls that have the most negligible impact on risk as efficiently as possible so you can allocate more resources to higher security risks. If we make changes that provide the most value for the business, it will be easier to convince other departments of the importance of these changes. For less critical controls, look for ways to implement them that minimize disruption.
Avoiding Redundancy
Given the many laws, regulations, standards, and frameworks currently in existence, we’d likely want to or must comply with several of them. To do so efficiently, it’s recommended to use a master mapping between the frameworks so changes align with all of them and we avoid redundancy. Luckily for us, AuditScripts.com has created the Critical Security Controls Master Mapping, where we have many different frameworks and their controls related to one another.
In conclusion, while compliance isn’t a direct guarantee of security, by going beyond mere checkboxes, understanding the gaps, focusing on the most critical controls, and enhancing communication between teams, we can leverage the support and resources granted for compliance to genuinely enhance our cybersecurity.
