CISO Perspectives on Complying with Cybersecurity Regulations

 

Compliance requirements are meant to increase cybersecurity transparency and accountability. As cyber threats increase, so do the number of compliance frameworks and the specificity of the security controls, policies, and activities they include.

For CISOs and their teams, that means compliance is a time-consuming, high-stakes process that demands strong organizational and communication skills on top of security expertise.

Which CISOs care most about compliance?

How CISOs view cybersecurity compliance can vary greatly, depending on their company size, geography, sector, data sensitivity, and program maturity level. For example, if you're a publicly traded company, you'll have no choice but to comply with multiple regulations, as well as maintain risk assessments and corrective action plans.

If you're a government agency or sell to one, you'll have specific compliance public sector requirements to meet. Banks, healthcare organizations, infrastructure, eCommerce companies, and other enterprises have industry-specific compliance rules to follow.

 
 

Even if you don't fall into one of these categories, there are many reasons you'll need to demonstrate security best practices, such as seeking SOC certification or applying for cybersecurity insurance. For all organizations, broad cybersecurity compliance frameworks like NIST CSF and ISO provide models to follow and structures for communicating results.

That said, "security does not equal compliance" is a mantra often heard among CISOs. Certainly, just because you're compliant, that doesn't mean you're secure. Highly mature cybersecurity organizations may consider compliance the bare minimum and go well beyond the required components to protect their organizations.

Compliance as a business enabler

While a CISO can recommend cybersecurity investments and practices to meet compliance requirements, they aren't the ultimate decision-maker. Therefore, a key responsibility of a CISO is communicating the risk of non-compliance and working with other company leaders to decide which initiatives to prioritize. Risk, in this context, incorporates not just technical risk, but also business risk.

 
 

Let's say an organization isn't fully meeting a security best practice for privilege management. While non-compliance could result in regulatory fines and shareholder lawsuits, the underlying security gaps could cause an even greater impact on the business, including downtime, ransomware payments, and revenue loss. Meeting compliance requirements, on the other hand, could deliver business value, such as faster sales, stronger partnerships, or lower cyber insurance rates.

As part of a comprehensive risk management program, boards and executive leadership must weigh the costs and benefits of ensuring compliance with the potential costs of non-compliance. In some cases, they may decide that a certain level of risk is acceptable and choose not to implement additional safeguards. In other cases, they may double down.

CISOs need partners in compliance

CISOs aren't in the compliance boat alone. They must build partnerships with legal teams, privacy officers, and audit or risk committees to understand changing compliance requirements and decide how to address them.

Compliance teams do many things that security engineers and analysts don't have the time or resources to do. They hold security accountable, double-checking that the controls are working as expected. They act as intermediaries between security teams, regulators, and auditors to demonstrate compliance, whether that means collecting evidence through manual security questionnaires or via technology integrations.

For example, for a public sector certification, security controls need to be monitored, logged, and retained for at least six months of data to evidence that they've done what they said they were going to do.

Tools and resources that support compliance

Risk registers are helpful in aligning all stakeholders by documenting all risks and organizing them by priority. With everyone looking at the same information, you can agree on appropriate actions. As part of a risk management program, policies, standards, and procedures are regularly reviewed, and any changes approved before implementation.

Using tools like GRC systems and continuous compliance monitoring, organizations can track ongoing security activities and report results. GRC systems can link to SIEMs to collect logs and vulnerability scanners that show checks were completed. "Instead of shuffling spreadsheets around, we've built various connectors that integrate with our GRC platform to evidence that we are in compliance," explains the tech CISO. "They map across certifications in a single pane of glass, so when an auditor comes in, we show them a screen that says, 'Here's the evidence.'"

In addition to tooling, many companies rely on third parties to conduct compliance assessments. They may perform an internal compliance audit before an external one to make sure there are no surprises if regulators come calling.

Comply once, Apply to many

Most organizations have numerous compliance bodies they must answer to, as well as cyber insurance providers, customers, and partners. While compliance can be a burden, the good news is that there are techniques to streamline the assessment process.

For example, Privileged Access Management (PAM) requirements like password management, Multi-Factor Authentication (MFA), and Role-Based Access Controls are common across compliance frameworks. You can dig into the specifics to see how PAM shows up in a variety of compliance requirements on Delinea.com.

Emerging compliance requirements

Compliance is a fluid space with requirements that evolve to address changing risk patterns and business conditions. CISOs are looking to compliance bodies for guidance on managing emerging cyber risks, such as Artificial Intelligence.

Moving forward, CISOs expect that ensuring compliance will become an even greater part of their job. As the industry faces ever-growing threats, compliance is a key part of a strategic and comprehensive approach to cybersecurity risk management.

Take action today to enforce policies and ensure the security and integrity of your cybersecurity framework.  (Governance, Risk and Compliance)

 

Related Blogs

Ed Fung