Can your company keep up with quickly-changing cyber security regulations?
Compliance with requirements and regulations is an ongoing challenge for businesses. In the cyber security space, the threat environment is constantly changing, and organizations have to meet some 500-600 different regulations and laws, as Internet of Things (IoT) devices proliferate and new, massive Distributed Denial of Service (DDoS) attacks are seen on a near-daily basis. As technology continues to evolve with such innovations as cloud computing and Big Data, security professionals are on a never-ending quest to stay up to speed on security controls and best practices.
It’s no secret that cyber security issues have increased in prominence and seriousness over the past several years. Starting with the infamous Target data breach, organizations are becoming more and more aware of potential risks they face as well as becoming more quick to adapt to changing risks, regulations, laws and situations. As we’ve seen regulatory changes happen almost overnight, it has become essential for organizations to have a reliable process for ensuring their compliance management is up to speed, as well as a system of checks and balances to prove it. For companies, especially those operating in highly regulated industries such as finance and healthcare, the challenge to stay up to date is even more paramount.
Evaluate Overall State of Cyber Risk
So, what can organizations do to stay ahead of the game? As a starting point, organizations must first look internally to determine the overall state of cyber risk. As part of this process, deficiencies can be detected, and a remediation process put in place to resolve any shortcomings. Taking a proactive stance to test security controls internally on a routine basis can help an organization prioritize risks associated with non-compliance and swiftly work to resolve such issues. Conversely, an internal audit might prove the absence of an incident response plan and areas that might fall outside of compliance, which should immediately signal the need to enforce change to minimize the risk of a security incident.
Set Up a Formal Process for Compliance Management
A second step is to establish a formal process for IT risk management and compliance. Although many view compliance as a burdensome, check-the-box process that doesn’t do anything to keep an organization safe, it is actually the bedrock of cyber security. To effectively determine an organization’s cyber risk, vital security controls need to be observed and confirmed to work properly. When deficiencies are observed, the cyber risk is assessed, the condition is prioritized, and a remediation plan is prescribed. This may result in an auditor identifying the lack of an incident response plan, which is critical for minimizing the impact of a security incident. Security compliance validation is only a check-the-box process if that’s how you choose to use it.
Automate Compliance Reporting
A third step is to invest in automated compliance reporting. With each new wave of threats and breach disclosures, there is a flood of expanded industry standards and compliance regulations. Compliance management solutions that can provide dashboard summaries of security status can automate compliance validation and reporting to reduce audit overhead and costs. The latest compliance management software can provide an efficient approach as well as a common language for discussing security compliance in business terms. It enables organizations to easily understand what specific steps must be met in order to meet regulations. Automating tools can help organizations manage complex compliance requirements across multiple regulations, standards and frameworks, including the NIST Cyber Security Framework (CSF).
We’re starting to see security compliance management used by organizations as a means of identifying potential pitfalls that may pose a risk down the road for an organization. When compliance validation is used to drive a robust cyber risk management process, it can help identify issues that pose credible risk to the organization. Relating these risks directly to industry-recognized standards and controls can help justify security investments and mitigate unacceptable risks.
Image Credit: kentoh / Shutterstock
Rick Tracy is Chief Security Officer at Telos Corporation. He joined the Company in October 1986 and has held a number of management positions within the Company’s New Jersey operation. He has pioneered the development of innovative and highly scalable enterprise risk management technologies that have become industry-leading solutions within the federal government and the financial services verticals. He is the co-inventor of Xacta IA Manager and is the principal inventor listed on five patents in the areas of automated risk and compliance management and continuous monitoring. Mr. Tracy assumed the role of chief security officer in 2004. Twitter: @rick_tracy