logo-img
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
BUSINESSMANAGEMENTREVIEW.COMAUGUST 202419INSTEAD OF PUSHING THE GRC AND INFOSEC TEAM TO ACHIEVE A CERTAIN CERTIFICATION TO MAKE SELLING THEIR PRODUCT EASIER AND INCREASE THE REVENUE, THEY SHOULD CHANGE THEIR MINDSET TO USE THESE COMPLIANCE FRAMEWORKS TO IMPROVE THEIR OVERALL SECURITY ALL WHILE STILL ALIGNING WITH BUSINESS GOALSthat they have the basics covered in information security and that they are safe and secure. In other words, it's marketing! It makes the sales teams' job easier as most likely the existing customers and the new leads require those certifications as part of their third-party risk management program. But as we see on the news on a regular basis, these companies still get breached. So being ISO 27001 compliant and following the NIST RMF framework doesn't prevent you from getting breached by cyber criminals. It's simply to ensure we follow industry best practices. Depending on your business, having that baseline may not be enough, you may need to go a step above in terms of securing the organization to reduce the likelihood of getting breached. Businesses typically have the wrong mindset when it comes to compliance. Instead of pushing the GRC and InfoSec team to achieve a certain certification to make selling their product easier and increase the revenue, they should change their mindset to use these compliance frameworks to improve their overall security all while still aligning with business goals. I can assure you that if you get breached, a lot of customers will switch to a different vendor because they'd lost all trust they had in you. That is even if your security page on your website has a bunch of green checkmarks next to those compliance frameworks and standards. On top of losing customers, if it turns out you weren't properly protecting user data like PII or PHI and that you are GDPR compliant, you will pay a hefty fine!The goal here is to continuously improve your overall security posture rather than simply trying to stay compliant for the next round of yearly audits. Staying compliant should be rather simple. There are tools and SaaS vendors out there that helps in staying compliant by integrating with common tools like Jira, Workday, your cloud provider such as AWS, GCP or Azure, so on and so forth. This makes it possible to automate evidence collection, automate reporting and metrics, alerting, as well as using the APIs to ensure technical controls are still in place. On top of ensuring the controls are still in place, it's extremely important to test these controls to make sure they're actually doing their job and to validate it works. Having many security controls in place is quite useless if they're not working as intended. Automating all of this and more, will allow you to spend more time on improving your organization's security baseline. When both your governance and your risk management program are working well and it's improving your security baseline, it'll more easily lead to compliance. Your GRC program should focus on each letter in that acronym in the order: G, R and then C! Focusing on that and improving your security baseline and going beyond will also eventually make passing those audits easier so if the business wants to go for another certification, you can be confident enough with your improvements that you'll be able to achieve it since you'd have put in the work already to improve the overall posture instead of having a mindset of simply focusing on achieving a new certification.
< Page 9 | Page 11 >