Vice President, Delivery, Coalfire
The risks posed by the continually escalating number, variety, and sophistication of cyberthreats have in many ways worked to redefine and reshape our corporate landscapes. Over the past decade, not only have business systems, processes, and procedures adapted to the omnipresent need to minimize cyber risk, organizational structures themselves have morphed right along with them. As a result of these changes in ownership of cybersecurity and cyber compliance, many organizations do not align the activities and efforts that have so many commonalities, while both functions have the goal of reducing cyber risk for the organization.
Where once IT departments were wholly charged with both systems and security, most large enterprises have added CISOs and dedicated Cybersecurity organizations to address the pressing demands of cyber defense. Simultaneously, many companies in industries rife with risk also have Chief Risk Officers, Compliance and Risk groups, or individuals tasked exclusively to address the many regulation requirements including (but not limited to) cybersecurity regulations. And coming soon, the General Data Protection Regulation-mandated Data Protection Officer will join the crowd in every organization that hosts and/or processes EU citizen data. The debate continues regarding where this staff member should report.
How does this organizational complexity facilitate (or hinder) the end goals for the organization? While both cybersecurity and cyber compliance share the common objective of providing greater security and customer data protections, the Who, What, Where, When, and Why behind them are different—for these reasons, they are organizationally separate in many companies. Yet, there are significant efficiency, productivity, and end-to-end cybersecurity advantages in forging partnerships ‘across the aisle’ between these functions. There are also distinct disadvantages, and even risks, in keeping these activities strictly within siloes.
Cybersecurity-related compliance regulations, such as FedRAMP, PCI-DSS, HIPAA, and many others are focused on demonstrating the security of all systems and processes related only to specific activities, processes, or transactions, as a subset of the enterprise environment. Compliance teams play an essential role in assuring these requirements are met within the specified timeframes of applicable regulations, including the ongoing monitoring and continuation of controls between assessments, minimizing risk to the business and assuring ongoing operations. Meeting compliance, however, demonstrates only that this subset of the enterprise involved in supporting this process or system is secure—it does not demonstrate that the enterprise itself is secure.
Clearly, Compliance and Risk teams are not charged with assuring the entire enterprise is secure but with demonstrating controls have been implemented to support the required compliance framework; however, by partnering with, or at a minimum, keeping the lines of communication open with, Cybersecurity teams, the following advantages can be achieved:
- Improved efficiency: Many of the activities involved in cyber compliance will also be part of security best-practices. By better understanding what activities Cybersecurity teams are actively engaging in or recently completed, Compliance teams may be able to achieve their goals faster while providing additional insights to the security team that support compliance and also improving overall security for the organization. At the end of the day, a very strong cybersecurity program should enable the organization to meet most of your compliance requirements. Cross-dialog can enable both groups to meet their goals more efficiently.
- Reduced redundancy: Cybersecurity teams may be already engaged in, or planning to begin a cybersecurity assessment or cyber initiative of their own. Through joint understanding of ongoing efforts, these projects can be worked in tandem to reduce redundant efforts. By sharing upcoming cyber compliance timelines, Cybersecurity can actively plan activities in harmony with this schedule, reducing overall work and third-party vendor expenses.
- Avoiding even more risk: Having two teams actively working on cybersecurity controls can actually introduce risk to the business. While both teams have the best of intentions to support their direct goals of either security or demonstrating security for compliance purposes, sometimes they can conflict or open the organization to additional risk. For example, some compliance activities require opening firewall rules to scan internal networks; without proper notification, planning and discussion with the security team, this could be done improperly and provide opportunity for additional cyberattacks. Proper communication and relationships between compliance and security teams will always find a way to demonstrate security while not compromising the security architecture established for the business.
- Building better, more collaborative partnerships: Compliance and Risk teams are often in the unenviable position of being seen as gatekeepers or roadblocks. Where it comes to cybersecurity and compliance, both groups have the same ultimate goal—to reduce risk to the business. Additionally, cybersecurity is every employees’ responsibility. By forging partnerships based on the common vision of being vanguards of risk, it facilitates better long-term working relationships.
At Coalfire, we often work with both Compliance professionals and Cybersecurity teams within the same organization. In our experience, the best cybersecurity end result—for both compliance and overall security posture—is achieved when these teams are in active collaboration. The success is typically driven by the Compliance teams leveraging the many enterprise controls that have been established for the organization, while engaging with the Cybersecurity team to add additional controls to meet specific compliance frameworks and demonstrate the effectiveness of existing controls.
Adam Shnider is the Vice President, Delivery at Coalfire. His responsibilities include delivering security and audit services to Coalfire clients and leading operations and services related to PCI, FedRAMP, FISMA, HIPAA, GLBA and many other security specialties. Adam has assisted clients in understanding and defining security requirements within their environments to meet PCI expectations, performing SSAE 16 audits and supporting cloud service providers prepare and become authorized to offer services to federal agencies. Additionally, Adam has worked with several clients to help identify and provide guidance to improve their security posture. Adam is a PCI-DSS Qualified Security Assessor (QSA), CISSP, CISM and CISA.