Does the saying "compliance does not equal security" paint a holistic picture? Sure, the concept is genuine; meeting a single compliance standard will not directly improve security posture. However, after working with hundreds of organizations, we have learned there are key considerations that can help maximize the value and urgency of compliance requirements by channeling such efforts into more practical risk assessments.
Worldwide, new privacy and cyber regulations are announced nearly every week. Almost all these regulations focus on setting a minimum-security standard and directing the organization to measure "compliance." But what is often lost when organizations translate these regulations into action plans is the concept of assessing actual risk and not just complying with requirements.
Cyber Security Risk Assessments Set the Foundation
Cyber risk assessments are foundational to building and measuring a mature cyber security program. So, why are so many organizations not taking full advantage of regulator demands to unlock their actual value? Translating regulations to reality is challenging, and organizations often seek to meet the letter—not the spirit—of the law. However, they shouldn't be judged harshly. It can become complicated for small organizations that don't have a team of GRC professionals to evaluate whether they are meeting regulations, and taking further steps is often beyond them.
This diminishment is unfortunate because most cyber security regulations require an information security program to be in place to meet compliance. Before starting a "true" information security program, most organizations must invest time and effort to determine their current risks and the effectiveness of existing controls. This step is so foundational that best practice organizations such as NIST and ISO have specific sections and categories of their cyber security frameworks dedicated to the concept. Further, certain regulators, such as the New York State Department of Financial Services and the Securities Exchange Commission, require organizations to perform a risk assessment periodically to meet compliance. This regulatory pressure creates an opportunity for an organization to follow the spirit of the regulation and implement a risk assessment.
The primary challenge of implementing a risk assessment is understanding the organization's risks. This process is more complicated than it sounds, especially when performing against one's enterprise. Scrutinizing one’s own internal information security program and IT infrastructure can be challenging. After completing hundreds of risk assessments, often for organizations taking that first step from compliance to security, we identified a few factors that can help elevate a compliance meeting exercise and turn it into an actual risk assessment.
Risk Assessment or Gap Assessment?
The first factor is to establish if you are performing a risk assessment or just a gap assessment. A gap assessment looks at the risk controls and compares them to a specific framework, such as HIPAA or NYS DFS CRR 500. These gap assessments provide a helpful point of comparison, especially if an organization must comply with those requirements. But compliance does not equal security, and whether you meet a specific control is less critical than addressing the real risks. A true risk assessment will not only evaluate your controls with a particular framework for reference but also will be crafted and prioritized with the latest industry threat intelligence and your organization's specific risk profile in mind.
Policies and Procedures on Paper and in Real life
The second factor is to ensure that the policies and procedures on paper meet regulations and best practices. In the aftermath of an incident, policies and procedures are going to be scrutinized by regulators and opposing counsel so ensuring they meet or exceed the minimum standards is essential. A gap on paper does not always mean a gap in practice, but it certainly does not look good in court when you are using a cocktail napkin as part of your proof of an incident response plan. The documentation that is often required by regulation can also help illustrate greater cyber security maturity.
Risk Assessments Must Go Beyond IT
The third factor to consider is how uniquely your organization manages data and what controls are in place to protect that data. Some risk assessments only focus on specific technical controls and work solely with the IT team. While IT is essential, it is only half of the risk picture. Assessors can only fully understand the adequacy of controls when they see the impact of control failure on the organization's ability to use or manage sensitive data; they can only achieve that by leaving the IT space and meeting other stakeholders. A proper risk assessment takes the time to blend IT and business interviews to paint a better picture of the risks the organization faces.
Security Controls Must Be Regularly Tested Once Implemented
The fourth factor is ensuring controls are adequately implemented. Many people will say that they have certain controls in place, but they are not enabled or only partially enabled upon closer inspection. On many occasions, we have identified multifactor authentication turned on for remote access, which is great, but it is not enabled for SaaS solutions like Salesforce, which leaves similar data at elevated risk.
Risk assessments are fundamental to building a robust cyber security program. Choosing to do one is not easy, but an organization can move beyond compliance towards risk reduction by going beyond a gap assessment, establishing the right policies, interviewing the right people and validating controls are in place.