Ensuring compliance in the modern enterprise [Q&A]
An increasing volume of regulations surrounding the security and privacy of data have been implemented in recent years. This represents a challenge for businesses that need to ensure they remain compliant.
The challenge has become even greater due to the pandemic and the consequent shift in working patterns. So how can enterprises ensure that they remain compliant and don't fall foul of the rules?
We spoke to Shrav Mehta, CEO and co-founder of Secureframe, to find out.
BN: How has the urgency behind compliance changed as a result of the pandemic?
SM: The pandemic has indirectly created compliance urgency due to the need for enhanced security to keep a remote work environment safe. This has prompted many companies to reassess their security and IT processes within the context of a remote workforce. As consequences of the pandemic:
- Many companies have procured or increased their reliance on communication technologies and cloud infrastructure services to minimize business disruptions. Sensitive information is often transferred, stored, and processed via these solutions
- Remote personnel are often using their devices for work and vice versa. Personal device security is typically a black box. On the other hand, unsecured work devices are more likely exposed to increased third party risks (e.g. non-work applications)
- Companies are supporting additional access points for their remote personnel, which naturally increases their threat surface area. Remote access misconfigurations for applications, networks, servers, and databases make for ripe exploitation opportunities. Companies have minimal visibility into the security of home networks
The fundamental business shift around remote work has changed security processes for the better. Today, companies are prompted to seek third party validation of their security posture as early as a two-person startup trying to land its first proof-of-concept. No longer is security seen as a check the box, it is now fundamental to any B2B business to keep its sensitive data safe.
BN: Some of the biggest and best-known cybersecurity incidents in the last two years have been attacks against critical infrastructure like Colonial Pipeline and SolarWinds. But there are no overarching regulatory compliance laws for critical infrastructure -- yet. What is the short-term solution?
SM: Unfortunately, there is no short-term fix here, rather there needs to be a stronger call to action on vendors and their customers. Vendor leadership must be proactive with security investment and not wait for external pressures to spark change.
Customers should demand increased investments into security from their vendors. Unfortunately, many customers do not have bargaining power over their vendors, especially those in the critical infrastructure space. Customers often can't readily substitute these types of vendors or threaten to substitute to gain leverage on their vendors, as their products are typically core to their IT makeup. When evaluating new critical infrastructure vendors for the first time, prospective customers should increase their security due diligence and demand more assurance.
When assessing vendor risk, customers should utilize a variety of vendor security data points, such as internal use cases, penetration reports, security questionnaires, and even self-research, in addition to reviewing auditor compliance reports. IT auditors assess organizations from a wide lens; however, they often are not able to dive deep into client environments and fully understand system relationships, due to time constraints, lack of technical knowledge, missing system and process context, and/or obscurity around client-provided information. Critical security failures around change management and access control go unnoticed, which are often the root cause of breaches like what we saw with the Colonial Pipeline and Solar Winds
Regarding regulatory action, President Biden recently signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law to actually mandate incident reporting requirements for organizations that fall under its umbrella. However, this won't likely take effect until next year and only aims to improve post-breach response and not pre-breach security maturity. We hope to see further regulation addressing the latter, especially around software development and change management security controls. Guidance on this was published by NIST last year; however, regulatory change has yet to occur, and this would likely affect only vendors that engage in federal contracts
BN: Compliance is something that needs to be kept updated, yet it seems many companies don't realize they can quickly fall out of compliance if they fail to constantly monitor their security posture. What are some best practices that can help?
SM: Utilizing continuous compliance security monitoring solutions such as Secureframe certainly provides visibility into compliance deviations, however, bad habits and operational inconsistencies must be addressed internally from the top-down. Without authority and adoption, specific best practices may only have spontaneous use or ultimately, become shelfware that sees light only during audits
Compliance and security need to become part of an organization's culture. Teams need to adopt a security-first mentality when it comes to building. As an example, self-approved code hotfixes and deploys can be warranted at times; however, it is easy for this to become semi-habitual among development teams
The lack of continuous monitoring requirements in many commercial security compliance frameworks has positioned the SOC 2 Type 2 audit to become a required standard in order to do business with other businesses in the US. Pursuing compliance with frameworks that mandate continuous monitoring provides an opportunity to correct poor security hygiene.
BN: Do you see cyber threats escalating in the coming years? What should CISOs be thinking about?
SM: Remote work is here to stay. As a result, threat actors have positioned their attacks to take advantage of technological and process-based shifts in response to remote work adoption.
Allocating resources to support this remote-first business shift and maintain cyber resiliency in this new environment should be top of mind for CISOs.