[caption id="attachment_19335" align="alignright" width="200"] Matthew Todd, Principal Consultant, Full Scope Consulting LLC[/caption]
CISOs know that compliance is a critical part of modern business. Yet, they may not always know how their security program is supposed to meet compliance obligations.
Compliance is tricky for those of us leading security. It means meeting a set of minimum standards, defined by some external party, that may not always be completely relevant to our business.
As an essential part of the overall compliance process, CISOs must be all-in from translating those standards into controls and processes all the way to reporting out on meeting compliance obligations. At the same time, CISO must ensure that all information risks (not just compliance ones) are properly prioritized and managed.
With the right tools and processes, compliance can be woven into the fabric of the business in a way that makes it easy—or at least the default. And with some careful planning, CISOs can help their companies stay on top of their compliance obligations even as tools, processes or business strategies change.
What Is Our Compliance Obligation?
For security teams, compliance boils down to meeting some minimum standards of data protection controls and processes. These are typically spelled out by someone outside of the business, like a legislative body, a regulator or a client. The fun part for security leaders like me is translating these legal standards into language the business can use.
When someone provides legal language—typically in the form of a law, regulation, or contract—it’s our job as a CISO to work with our team(s) to:
- Interpret it in light of our business goals and operations.
- Translate it into policy, procedures and technical controls.
- Roll it out to the company.
- Be prepared to reverse the whole process to demonstrate that our business is, in fact, complying with the legal requirements.
People: Teaming for Best Results
Your legal and compliance teams will tell you what specific sections of documents have compliance obligations that apply to your business operations and technology. I recommend making friends with colleagues in these departments and learning how to read legal terms.
Bounce ideas off your new friends, always being prepared to educate them about the controls and reporting you oversee. They aren’t technical or security experts. But, they know a lot about process, just like most security practitioners aren’t lawyers but sound awfully close at times. Being compliant and demonstrating compliance is a partnership.
Technology changes much faster than the law and client contracts. Poorly written bills or terms can be overly prescriptive, mandating the use of particular tools or technologies. Worse, they can preclude the use of other technologies. Even if you have a solid partnership with your legal team, you probably won’t be able to influence regulations. But try, because it’s possible. (I have!)
One area you can definitely influence is contract negotiations. Be sure your organization’s contract terms don’t include boilerplate requirements that aren’t appropriate for your business or don’t allow flexibility in the controls you use to ensure security.
The Compliance Process: Learning from Mistakes
Laws and regulations meant to protect the public from fraud and misbehavior on the part of companies establish minimum standards and responsibilities for various industries on matters of security, privacy, reporting, etc. Often the requirements are broad, including things like “due care” and “best practices,” which aren’t especially helpful for your security program. There are other ways to glean the meaning of “best practices” (keep reading to discover those).
Government and independent agencies act as regulators, assigned responsibility to interpret and enforce the laws. In the US, these include the FTC, SEC, FINRA, FCC, FAA, etc. Across the European Union, these include the EBA, EEA, BEREC, etc. In Asia Pacific, there's the SFC, MAS, BEAR and others.
Sometimes it’s not just a regulation dictating what you need to do. Regulatory authorities provide:
- Guidance memos.
- Current practices research (plus recommendations).
- Areas of focus for upcoming investigations and audits.
These can give you a sense of what regulators are most concerned about, along with examples of good (and bad) controls. Often, they refer to established standards or methodologies that can demonstrate a good security program (e.g., NIST CSF, NIST SP 800-171, ISO/IEC 27000, CIS Controls, Security by Design, Privacy by Design).
When regulated companies completely fail to meet basic security standards, regulators often make a public example of them. These are called enforcement actions. They’re another great source of guidance, because they signal what really annoys regulators.
If there is a data breach, fraud or some other fundamental failure that results in a regulator taking action, the details of the enforcement clearly define the minimum standards of due care. Keep in mind that regulators pay attention to each other. For example, if you’re a financial services firm regulated by the SEC, but not FINRA or the FTC, those infractions are also relevant because regulators like to keep abreast of the others’ enforcement activities. They learn from one another.
Compliance Technology: Layering Controls
Compliance, like security, needs to be built into every layer in your technology stack. You need to build compliance into technical and business processes, so compliance becomes the default. For instance, if access control systems are properly tied to ticketing systems and healthcare information systems (HRIS), ensuring and reporting on compliance with Identity & Access Management requirements becomes straightforward.
In the early days of the cloud, service providers couldn’t provide the necessary guarantees (via contract or independent audit) that they could meet clients’ compliance requirements. This meant that most regulated industries were reluctant to embrace cloud computing. One of the dirty little secrets of co-located data centers was that they, too, often couldn’t provide the same guarantees, which meant clients had to have their own compensating controls if they wanted to be fully compliant. (Some still can’t, so check to be sure!)
Meanwhile, cloud service providers matured substantially. Many now provide services that meet compliance requirements on everything that they manage. Therein lies the rub, of course. Every security professional needs to know exactly where the lines are drawn between “cloud provider responsibility” and “client responsibility” when it comes to controls and data protection. With this understanding, however, even regulated industries are adopting public cloud.
There are significant compliance advantages to using public, hybrid or multi-clouds, including:
- You are responsible for fewer layers of the tech stack, which means less to focus and report on.
- Because of the way cloud services are delivered, both major cloud providers and third-party services provide valuable tools that can monitor, manage and event report on compliance with well-known security standards and regulatory frameworks.
- Constant innovation by both cloud providers and third parties means they can help you stay on top of compliance requirements even as technology changes.
- Cloud providers can even help you make decisions about when and how to integrate new components.
Security and Compliance Symbiosis
Security professionals should always treat compliance as a key risk that must be incorporated into their security programs—one that has very particular reporting requirements. And CISOs need to prove their companies are compliant, which means providing reports or other evidence to an auditor or regulator. Prepare in advance by starting to think first about the end result.
For example, if you need to demonstrate a certain compliance requirement, where do you need controls? How do you get evidence of them? Work backwards from there. Work all the way to updating your policies to include compliance requirements.
Consider also that your corporate training program will probably need an update to ensure everyone is on board with the mission and goals. Then, work with business teams to ensure procedures, controls and processes are updated and maintained. Finally, make sure innovation, development and vendor processes include compliance controls.
Even with clear policies and training, compliance can be difficult. And your company will never be compliant without good security. But good security isn’t enough to make you compliant.
If you work with your legal teams, understand your compliance obligations and build compliance into technology, controls and reporting, you’ll be the hero of your compliance team, lauded by your clients and cheered by the regulators. Well, maybe not, but a CISO can dream.