A compliance-driven focus on building a cybersecurity program can be all too common.
Why?
· It is required of your industry to hold certain types of data based on the business offerings you provide.
· Your customer(s) require it as part of their third-party risk assurance process or contract.
· You don’t get appropriate buy-in or funding for what is needed to build a program aligned to risks in your company, so compliance becomes the “stick” to force the minimum actions.
Having compliance linkages in your program’s foundation is important, but does a cyber program that uses compliance as its primary goal very effective?
Regulations and laws are typically created to force and enforce actions of organizations because they don’t occur on their own, and enough issues have happened to force change (Re: the classic example of Sarbanes Oxley). Regardless of your political leanings on regulation or de-regulation, the expectations set forth by regulations will always be years behind and be broad enough to accommodate a variety of organizations. Additionally, using compliance to drive a design of a program when under time pressure or fear of potential business disruption typically ends in check-box processes and controls, iterative costs, and massive organizational time waste.
While it is true that some leaders and organizations do not have a choice to rapidly meet compliance or urgent customer expectations, I have a couple of essential elements of advice for you if you have an opportunity to pull up and reset, or are starting a journey at a new company:
- Get the basics right:
Almost all compliance, maturity, and control frameworks share 80% of the same fundamentals. Build these fundamentals according to your business’s operational needs and risks with well-defined, repeatable, sustainable, and scalable components: processes, technology, and the right internal/external people to support them. - Play offense, not defense:
Let your program components be informed by compliance needs, but not iteratively reactive to additive disparate certs, attests, regulations, and customer demands. If you build a holistic cyber program with intention, compliance and audits will be simple, and of minimal impact, not million-dollar Hail Mary scrambles. Your future self, team, budget, and company will thank you for it!
If you want to talk to us about how our very experienced team can help expedite your journey, please reach out.
