Almost every major country today is devising some form of compliance or legislation that aims to protect the confidentiality, integrity and availability (a.k.a CIA triad) of information systems. Per Gartner research, cybersecurity and regulatory compliance have become the two biggest concerns of corporate boards.
While compliance does not always equal security, MIT research shows that compliance enables accountability in businesses, assures adherence to regulations, serves as a point of transformation, and demonstrates an ongoing process. Failure in meeting regulatory compliance can expose the organization to several business risks — operational failures, regulatory penalties and damaged customer trust and reputation. There’s also the matter of avoiding cyber insurance claim rejections because some cyber policies are underwritten based on the guarantee that the organization will do things in accordance with applicable regulations. For the above reasons, there’s an urgent need for organizations to improve their compliance processes. Here are five best practices that can help:
- Know Which Laws, Standards, and Regulations Are Applicable
Knowing what you must accomplish is vital to getting started. So whether it’s NIST, PCI, HIPAA, GDPR, CCPA, or the NYDFS, it’s really important to make a note of what regulations are applicable. Some might be applicable depending on the industry you belong to or the country you operate in; some might be applicable based on the type of business transactions you carry out or the information you store; some regulations might apply based on who you do business with and their contractual obligations.
- Know Where You Are
This step involves determining the level of compliance in the business and identifying where the gaps are. The idea is to conduct an in-depth self-assessment that helps uncover strengths and weaknesses in the overall compliance posture. Self-assessments have other benefits too — they give us a much better understanding of the processes and security around parts of the organization and also give us practice on how to deal with auditors and how to answer cybersecurity-related questions. The goal of a self- assessment is basically to figure out what you need to do and how close you are to doing it.
- Organize, Organize, Organize
One of the key things about achieving security compliance is streamlining and organizing information so that answering questions, pulling up information or auditing a system or a process becomes much easier. Being able to quickly answer questions from the auditor will generally make things much easier and set the tone for the audit. Another reason for keeping the answers and evidence organized prior to an audit is to make things ready – this will avoid duplicate work and speed up the audit process.
- Once More, From The Top
In the end, compliance is a business risk and a business decision. If the executives don’t understand the risks associated with failure, it can leave you in a tough spot. The job of the compliance officer is to explain the costs and risks of compliance and non-compliance. It’s up to the executive team to determine if they are willing to accept the risk and it they are willing to do something about it. Some studies indicate that compliance is a cultural issue and culture is always contagious. That’s why leadership must lead by example and outline the behavior they expect from staff.
- Take A Systematic Approach To Governance
Compliance managers must arm themselves with tools that not only help implement governance systematically, but also help them stay on top of the always-evolving regulatory landscape. Tracking in Excel spreadsheets is far from ideal; evidence collected has to be stored in a different location and there’s no reminders, no way to delegate tasks. This is where GRC (governance, risk and compliance) tools come handy. GRC tools are incredibly powerful in managing compliance processes, giving management real-time status on where they are in the compliance journey. They offer a centralized place to view or submit evidence, audits, reminders, delegate tasks, etc. A key component of compliance is ensuring if employees have read and signed your security policies. GRC tools can help maintain records of policy signatures and risk identification. Risk wizards can walk you through to help determine your level of risk tolerance and how you want to manage it. And if you’ve ever had to fill out long, in-depth vendor risk questionnaires, GRC tools can also help manage, simplify and significantly speed up the process.
For businesses to succeed in their compliance efforts they need a holistic approach, i.e., identifying risks proactively and mitigating them systematically, preferably using a unified platform that is purpose-built for compliance. Since compliance will always be a moving target, businesses must continuously assess its effectiveness and not treat it like a check-box activity. Organizations that give proper focus to both security and compliance can not only boost their reputation and competitive advantage but also significantly bolster their cyber resilience.
About the Author
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with 50,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at firstname.lastname@example.org.