Digital enterprises are grappling with an increasing number of compliance requirements and data regulations. There are geographic data privacy standards, varying by country and state, as well as industry-specific compliance regulations to adhere to. As governing bodies continue to issue new cybersecurity compliance frameworks, there is an escalating degree of complexity to manage.
In theory, reaching compliance should equate to improved security, but compliance audits often rely on outdated information and leave gaps exposed — it can be challenging to understand or validate their accuracy. And when a breach occurs, the responsibility often lands on the shoulders of CISOs, who may face termination or forced resignation depending on the exploit’s severity. (This may explain why CISOs are in such short supply these days.)
I recently met with Igor Volovich, VP of Compliance Strategy for cybersecurity compliance firm Qmulos, to learn more about the issues plaguing modern compliance procedures. According to Volovich, most organizations view compliance as just another hurdle, not something that actually helps improve security. Compliance checks are also manual, cumbersome and, surprisingly, rely on a lot of word-of-mouth accounts.
To Volovich, compliance needs data-driven, real-time analysis that is more automated and factual. Below, we’ll analyze the state of many compliance efforts and consider ways to make them run better.
Understanding the State of Compliance
These days, organizations must comply with many types of standards and regulations. Critical infrastructure is constantly a target for bad actors, which has influenced governing bodies, such as the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA), to introduce hardened cybersecurity frameworks.
Businesses also have industry-specific guidelines to follow, such as the Payment Card Industry Data Security Standard (PCI DSS), which describes common threat patterns to avoid hacks and financial data leaks. Other compliance requirements are more internal — for example, the Federal Trade Commission (FTC) takes an active role in issuing consent decrees to companies that use deceptive tactics or violate their privacy promises to consumers.
Organizations must audit their technology processes to ensure their data-handling practices are up to snuff. Yet historically, meeting compliance requirements has been viewed negatively, says Volovich. It’s often seen as a nuisance with colossal overhead — plus, companies often just adopt the philosophy of implementing more and more “best of breed” cybersecurity tools to solve their needs, causing their expenses to balloon. As such, “how much do I need to spend to be secure?” is an all-too-common question.
Furthermore, Volovich notices many hurdles when conducting compliance reviews. Gathering this information often relies on many manual reviews and interviews — he describes this process as “opinion farming at scale.” Making matters worse, gathering real insights can involve a lot of teeth-pulling — leaders may encounter reluctance as engineers don’t want to expose workflow inefficiencies, he says. Too often, businesses end up relying on old, outdated, and offhand data to inform their compliance posture.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
How to Fix Broken Compliance Processes
Failure to meet compliance requirements can result in hefty fines and harm a brand’s reputation. So, knowing these gaps in the average compliance processes, how can organizations fix them? Volovich shared some insights to help organizations ensure compliance regulations are met.
Don’t Rely on the Best-of-Breed Perspective
First off, higher spending on niche tools doesn’t always equate to a greater security posture. Instead, teams should consider where they are directing resources to address controls across their systems.
Use Real-Time Data
Compliance checks relying on outdated data are obsolete, especially given the rapid pace of change for software dependencies and new vulnerabilities. Thus, it’s important to evaluate a compliance footing based on real-time data produced by application systems, whenever possible.
Avoid Opinion-Based Judgments
Data-driven evidence is infallible. People, on the other hand, are biased and may even have motives to withhold information. Therefore, Volovich recommends trusting data, not people.
Introduce Compliance Automation
Any compliance requirements you can infer with data should be automated, says Volovich. Things like authorization issues, token reissuances, or recycling passwords are verifiable and can be checked with data produced by software systems. For example, Qmulos can analyze data collected by Splunk data search software and infer violations from a laundry list of compliance requirements.
Avoid the Swivel Chair
Of course, not all cybersecurity framework controls can be automated away. Some will still require manual assessment. However, manual and automated assessments shouldn’t be separated into different platforms. Volovich recommends centralizing on a shared platform to avoid friction and constant context switching.
Collect and Store Data Relevant to You
Lastly, it’s good to track as many data points as possible. Yet at the same time, generating unnecessary data lakes can incur a high cost. Thus, organizations should look at their environment and map data collection relevant to the compliance frameworks they need to address.
There are many legal liabilities associated with mishandling compliance requirements, and nobody’s immune, says Volovich. Leaders can’t hide behind the complexity, and they shouldn’t trust compliance auditing built on a retroactive timescale — this could place businesses leagues behind where attackers are operating on the cutting edge. Therefore, he recommends employing evidence-based, real-time data and automating technical controls whenever possible.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: