Thank you for Subscribing to Business Management Review Weekly Brief
I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info
Nowadays, organizations of all sizes are compliant to some framework, standard or regulation. For example, your company may have a SOC 2 Type II report or an ISO 27001 certificate. Or if your company processes PII or PHI, you might be GDPR, CCPA or HIPAA compliant. And then we also have SOC 1, PCI as well as SOX if your company processes financial or credit card data. This is just to name a few of them out there, there are plenty more popular ones like FedRAMP and FIPS. However, do these compliance certifications and reports mean these companies are secure? The answer is no.
Why do organizations want to attain those certifications and become compliant anyway? One of, if not the main reason why is that they want to show to their current customers as well as prospects that they have the basics covered in information security and that they are safe and secure. In other words, it’s marketing! It makes the sales teams’ job easier as most likely the existing customers and the new leads require those certifications as part of their third-party risk management program. But as we see on the news on a regular basis, these companies still get breached. So being ISO 27001 compliant and following the NIST RMF framework doesn’t prevent you from getting breached by cyber criminals. It’s simply to ensure we follow industry best practices.
" Instead Of Pushing The Grc And Infosec Team To Achieve A Certain Certification To Make Selling Their Product Easier And Increase The Revenue, They Should Change Their Mindset To Use These Compliance Frameworks To Improve Their Overall Security All While Still Aligning With Business Goals "
Depending on your business, having that baseline may not be enough, you may need to go a step above in terms of securing the organization to reduce the likelihood of getting breached. Businesses typically have the wrong mindset when it comes to compliance. Instead of pushing the GRC and InfoSec team to achieve a certain certification to make selling their product easier and increase the revenue, they should change their mindset to use these compliance frameworks to improve their overall security all while still aligning with business goals. I can assure you that if you get breached, a lot of customers will switch to a different vendor because they’d lost all trust they had in you. That is even if your security page on your website has a bunch of green checkmarks next to those compliance frameworks and standards. On top of losing customers, if it turns out you weren’t properly protecting user data like PII or PHI and that you are GDPR compliant, you will pay a hefty fine!
The goal here is to continuously improve your overall security posture rather than simply trying to stay compliant for the next round of yearly audits. Staying compliant should be rather simple. There are tools and SaaS vendors out there that helps in staying compliant by integrating with common tools like Jira, Workday, your cloud provider such as AWS, GCP or Azure, so on and so forth. This makes it possible to automate evidence collection, automate reporting and metrics, alerting, as well as using the APIs to ensure technical controls are still in place. On top of ensuring the controls are still in place, it’s extremely important to test these controls to make sure they’re actually doing their job and to validate it works. Having many security controls in place is quite useless if they’re not working as intended. Automating all of this and more, will allow you to spend more time on improving your organization’s security baseline.
When both your governance and your risk management program are working well and it’s improving your security baseline, it’ll more easily lead to compliance. Your GRC program should focus on each letter in that acronym in the order: G, R and then C! Focusing on that and improving your security baseline and going beyond will also eventually make passing those audits easier so if the business wants to go for another certification, you can be confident enough with your improvements that you’ll be able to achieve it since you’d have put in the work already to improve the overall posture instead of having a mindset of simply focusing on achieving a new certification.
This content is copyright protected
However, if you would like to share the information in this article, you may use the link below: