CISO perspectives on complying with cybersecurity regulations
Compliance requirements are meant to increase transparency and accountability for cybersecurity. As cyber threats increase, so do the number of compliance frameworks and the specificity of the security controls, policies, and activities they include.
For CISOs and their teams, that means compliance is a time-consuming, high-stakes process that demands strong organizational and communication skills on top of security expertise.
We tapped into the CISO brain trust to get their take on the best ways to approach data security and privacy compliance requirements. In this blog, they share strategies to reduce the pain of dealing with the compliance process, including risk management and stakeholder alignment.
Read on for recommendations for turning compliance from a “necessary evil” into a strategic tool that helps you evaluate cyber risk, gain budget and buy-in, and increase customer and shareholder confidence.
Which CISOs care most about compliance?
How CISOs view cybersecurity compliance can vary greatly, depending on their company size, geography, sector, data sensitivity, and program maturity level. For example, if you’re a publicly traded company in the United States, you’ll have no choice but to comply with multiple regulations, as well as maintain risk assessments and corrective action plans.
If you’re a government agency or sell to one, you’ll have specific compliance public sector requirements to meet. Banks, healthcare organizations, infrastructure, eCommerce companies, and other enterprises have industry-specific compliance rules to follow.
Security does not equal compliance
Even if you don’t fall into one of these categories, there are many reasons you’ll need to demonstrate security best practices, such as seeking SOC certification or applying for cybersecurity insurance. For all organizations, broad cybersecurity compliance frameworks like NIST CSF and ISO provide models to follow and structures for communicating results.
That said, “security does not equal compliance” is a mantra often heard among CISOs. Certainly, just because you’re compliant, that doesn’t mean you’re secure. Highly mature cybersecurity organizations may consider compliance the bare minimum and go well beyond the required components to protect their organizations.
Compliance as a business enabler
While a CISO can recommend cybersecurity investments and practices to meet compliance requirements, they aren’t the ultimate decision-maker. Therefore, a key responsibility of a CISO is communicating the risk of non-compliance and working with other company leaders to decide which initiatives to prioritize. Risk, in this context, incorporates not just technical risk, but also business risk.
Steve Zalewski, former CISO of Levi Strauss, likes to use the “carrot and stick” metaphor. “Audit and compliance historically have been the stick that makes you have to do something,” he shares on the Defense-in-Depth podcast, “but making [you] do it doesn’t mean that the business is aligned to the value of doing it.” To avoid friction, he recommends showing people the business value of compliant cybersecurity. “There has to be a carrot component to make them feel like they have a choice in the matter,” he says.
Leadership must weigh the costs and benefits of ensuring compliance with the potential costs of non-compliance
Let’s say an organization isn’t fully meeting a security best practice for privilege management. While non-compliance could result in regulatory fines and shareholder lawsuits, the underlying security gaps could cause an even greater impact on the business, including downtime, ransomware payments, and revenue loss. Meeting compliance requirements, on the other hand, could deliver business value, such as faster sales, stronger partnerships, or lower cyber insurance rates.
As part of a comprehensive risk management program, boards and executive leadership must weigh the costs and benefits of ensuring compliance with the potential costs of non-compliance. In some cases, they may decide that a certain level of risk is acceptable and choose not to implement additional safeguards. In other cases, they may double down.
How CISOs use compliance frameworks to plan their cybersecurity roadmap
Some CISOs use compliance frameworks as a methodology for techniques and processes to incorporate in their cybersecurity program. Essentially, they inform program priorities and create a shopping list for must-have solutions that align with the program they’re trying to build.
On the Audience First podcast, Brian Haugli, former Fortune 500 CISO, sees a difference between being compliance-dependent and using compliance frameworks to guide informed risk management. “We can’t be black and white. We have to be able to make risk-based decisions, to say, ‘I will accept this risk because I can’t afford to close it right now. But I will do these things to mitigate risk to a low enough level that allows me to accept them.”
CISOs need partners in compliance
CISOs aren’t in the compliance boat alone. They must build partnerships with legal teams, privacy officers, and audit or risk committees to understand changing compliance requirements and decide how to address them.
Sometimes these internal partners require security teams to implement stronger controls, but they can also put on the breaks. As one CISO of a fast-growing technology vendor told us, “Frankly, Legal outweighs me every day of the week. They tell me what I can and can’t do. I would love to be able to monitor everyone’s behavior, but privacy laws say I can’t do that.”
Compliance teams do many things that security engineers and analysts don’t have the time or resources to do. They hold security accountable, double-checking that the controls are working as expected. They act as intermediaries between security teams, regulators, and auditors to demonstrate compliance, whether that means collecting evidence through manual security questionnaires or via technology integrations.
For example, for a public sector certification, security controls need to be monitored, logged, and retained for at least six months of data to evidence that they’ve done what they said they were going to do.
Tools and resources that support compliance
Risk registers are helpful in aligning all stakeholders by documenting all risks and organizing them by priority. With everyone looking at the same information, you can agree on appropriate actions. As part of a risk management program, policies, standards, and procedures are regularly reviewed, and any changes approved before implementation.
Using tools like GRC systems and continuous compliance monitoring, organizations can track ongoing security activities and report results. GRC systems can link to SIEMs to collect logs and vulnerability scanners that show checks were completed. “Instead of shuffling spreadsheets around, we’ve built various connectors that integrate with our GRC platform to evidence that we are in compliance,” explains the tech CISO. “They map across certifications in a single pane of glass, so when an auditor comes in, we show them a screen that says, ‘Here's the evidence.’”
In addition to tooling, many companies rely on third parties to conduct compliance assessments. They may perform an internal compliance audit before an external one to make sure there are no surprises if regulators come calling.
Comply once, Apply to many
Most organizations have numerous compliance bodies they must answer to, as well as cyber insurance providers, customers, and partners. While compliance can be a burden, the good news is that there are techniques to streamline the assessment process. “If you look across all the major compliance bodies, about 80% of the requirements are the same,” says the CISO of a SaaS provider. “You can align with a framework like NIST and apply the same practices across them all.”
For example, Privileged Access Management (PAM) requirements like password management, Multi-Factor Authentication (MFA), and Role-Based Access Controls are common across compliance frameworks. You can dig into the specifics to see how PAM shows up in a variety of compliance requirements on Delinea.com.
Emerging compliance requirements
Compliance is a fluid space with requirements that evolve to address changing risk patterns and business conditions. CISOs are looking to compliance bodies for guidance on managing emerging cyber risks, such as Artificial Intelligence.
Moving forward, CISOs expect that ensuring compliance will become an even greater part of their job. As the industry faces ever-growing threats, compliance is a key part of a strategic and comprehensive approach to cybersecurity risk management.
For more on this topic, check out Delinea’s 401 Access Denied podcast episode: Securing Compliance: Expert Insights with Steven Ursillo
Need a step-by-step guide for planning your strategic journey to privileged access security?