Security leaders, especially in highly regulated industries, are overwhelmed because their security decisions solely comply with audit and regulatory frameworks.
Many have to comply with HIPAA for healthcare, PCI DSS for credit card handling, and the Office of the Controller of the Currency and FDIC for financial services, leaving security teams fatigued and unable to innovate. Over time, their strategy mirrors their organization’s regulatory and compliance demands. This impacts the maturity of security programs and exponentially increases an organization’s risk, making it susceptible to cyberattacks and even nominal regulatory fines. For example, the Citibank incident, in which Citibank was fined $400 million for falling short in its regulatory-driven risk management processes.
Over the years, I’ve observed that security leaders lose control of their programs because they try to meet the ever-growing demands of regulators, line of business, expanding attack surface, and third parties – the list goes on. It’s critical for security leaders to drive an organization’s security strategy – not the second line of defense (risk management) nor the third line (auditors), nor regulators. After all, it’s the security leaders who inform executives and board members of the risk to critical information assets and how to manage it – and whose jobs are on the line.
My recommendation? Security leaders should pivot from their institutionalized regulatory and audit-driven security programs to one that focuses on both risk and compliance.
Why risk-based strategies are essential
Those with a compliance-first security mindset are often suffocated by regulator inquiries and exams, audits, second line of defense, or other internal initiatives. While important, these activities create competing priorities for CISOs when deepening and widening their preventative and detective capabilities. A risk-based mindset can help prioritize security activities by letting security leaders view their initiatives through a threat-aware lens.
Security leaders cannot move to a risk- and compliance-based program overnight. But by taking the first step – understanding combining risk and compliance is a non-negotiable – security teams can better protect their businesses. If the company builds a security program just based on today’s regulatory compliance requirements, it risks being unprepared for future regulations. Instead, build a strong foundational program that anticipates future requirements, based on the biggest risks to the business. Include all the necessary controls and processes that are relevant to the business and focused on addressing and mitigating threats to the company. In other words, it’s about finding a balance between risk and compliance and learning how to adapt and plan for future expectations. It’s about building a security program that remains resilient over time.
Develop a strategic initiatives playbook
In creating such a playbook, develop a foundational plan that prioritizes and evaluates assets based on what’s closest to internal and external threat actors. It defines the cadence for security testing throughout the year, to ensure proper coverage of networks, systems, applications, and non-public data in an organization’s environment. It’s essential in setting the foundation for a risk- and compliance-based program.
First, set the criteria for the playbook. It will be ongoing, therefore anticipate that, once set, it will change throughout the year. Then, ensure the answer is “yes” to the following questions:
- Does my playbook outline how we will protect our critical assets, internally and externally?
- Does it scale with business growth?
- Does the plan seek to proactively identify and mitigate threats before they fully mature?
- Does it ensure security teams enable business, without sacrificing security?
The playbook will help anticipate what the second line, third line and regulators will require from the security team. It should also help the team uncover exactly what it needs to catapult to a “best-in-class" security program.
Also, ensure the playbook includes a comprehensive foundation of security controls governing all aspects of the organization’s business, designed to reduce risk of improper access, disclosure, use, or manipulation of information, but still enable the business to function. Here’s an outline of the core categories that the annual security initiatives and controls should focus on for business continuity and resilience:
- Identity and Access Management
- Application and Data Security
- Infrastructure Security
- Detective and Preventative Controls
Within each of the categories, the playbook naturally delivers to the requests/requirements from second and third lines of defense and ensures compliance with regulators throughout the year.
As security leaders today are pulled in so many directions, continuously governed by others, here’s a final word of advice: Do not overthink the path to a risk and compliance strategy. Remember that the company’s priority is to protect the business. Recognize the importance of these foundational planning steps, and the balance between risk and compliance should fall into place. And remember that just because the organization has a compliant cyber security program it doesn’t ensure it’s secure.
Mary Braunwarth, vice president, strategic accounts, NetSPI