Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology function within the enterprise, security has been a priority for the companies and the governing bodies in the areas (industries and locations) where they operate. For many entities, compliance is critical to ensure ongoing business operations and support new business growth. From the Department of Defense and the DFARS mandate to the New York Department of Financial Services and 22 NYCRR 500, organizations in myriad industries and locations are bound by baseline requirements to ensure they are secure enough.
Are We Secure?
Heads of information security and CISOs hear this often from superiors - the age-old question: Are we secure? As more reporting cybersecurity to Boards increases, the idea of a simple yes or no is no longer sufficient. In much the same way, a checkbox compliance approach to a cybersecurity program is no longer sufficient. Ensuring that an organization is secure is partly based on meeting compliance requirements, yet focusing on baseline compliance requirements in today's technology-driven business climate is insufficient.
Why Compliance Standards Exist
To understand the role that compliance standards play in an integrated risk and compliance program, think of compliance standards as the physiological requirements in Maslow's hierarchy of needs: the foundational requirements like food, water, and shelter. The function of compliance standards set forth by governing bodies is to ensure that participants in that industry have implemented enough security practices to participate in the industry and keep the ecosystem secure. On their best day, compliance standards stand between society's most critical functions, bringing that society to a grinding halt. Often, we see standards in highly regulated industries, where the failure of these functions is not an option - energy and utilities, banking and finance, defense and aerospace.
These industries, in particular, have been deemed critical to the ongoing function of our society and, therefore, need to be at least secure enough.
Enough Is Not Enough
Here's the thing - enough is not enough in many cases. The standards and requirements are designed for the lowest common denominator - they're designed to be accessible to companies of varying sizes and sometimes different functions. Often, these standards are general and insufficient to secure any organization adequately. While prescriptive and valuable from an industry level, compliance standards are insufficient for one organization to tout security to its CEO and Board.
Fundamental Frameworks Transcend Compliance
We have covered before how the continued rise of compliance standards overtax cybersecurity teams. This groundswell of regulation will only continue as it moves to new industries and locations. Reacting to each new cybersecurity risk management framework as it emerges will leave organizations reeling. The strategy to integrate compliance activities for a cybersecurity program begins with a guiding, foundational framework. I most recommend the NIST Cybersecurity Framework as that North Star. The reason is that the requirements that make up these standards are usually based on the CSF. When security leaders focus on the foundational principles - the CSF - rather than each compliance requirement, the result is significantly less menial effort spent meeting overlapping demands. The optimal way to futureproof your cyber program from new compliance requirements is to focus on the foundational framework that informs them.
Integrating Governance, Risk, and Compliance With the NIST CSF
For leaders looking to integrate their governance risk and compliance activities, there is another reason to use the NIST CSF as the guiding force for compliance: using the NIST portfolio of frameworks and publications integrates all activities of GRC under one banner. We can see that the NIST CSF is designed to integrate with the NIST Risk Management Framework (and the new Privacy Framework). Further, the NIST CSF's outcome-based approach supports translating tactical cybersecurity risk and compliance activities into business outcomes - a critical function for today's cybersecurity leader.
Check out our guide to the NIST CSF for more insights and best practices.
While the result is exponentially more valuable than the alternative, implementing the NIST CSF can be complicated. Using an automated risk assessment tool that can streamline that process and ingest and operationalize any other framework (regulatory or otherwise) is critical. Ensuring that your organization chooses the right cyber risk management solution to accomplish this task and, in turn, prepare for the future of your cybersecurity organization is predicated on using a lightweight and nimble tool that is capable of integrating your governance risk and compliance activities.
