Almost every organization’s business operations are heavily dependent on secure and reliable data systems. As a consequence, cybersecurity risk management is an increasingly high priority for boards and executive teams in virtually all businesses.
Unfortunately, the challenge of managing cybersecurity risk is often complicated by the expanding array of data privacy and security standards, each of which imposes its own specific requirements. To successfully navigate this challenge, directors and senior executives must understand the purpose of these multiple standards, as well as what steps they can take to help their risk management teams manage compliance more efficiently.
The Board’s Role: A Matter of Trust
In addition to recognizing the costs and challenges that arise when complying with multiple cybersecurity standards, directors should understand the potential benefits that compliance can deliver, which include trust and oversight.
The primary purpose of cybersecurity compliance is to build trust and confidence among various stakeholders including regulatory agencies, customers, employees, suppliers and other third-party affiliates. All these parties have legitimate interests in the security and integrity of critical data they might share. Although cybersecurity compliance by itself does not guarantee data security, it establishes a level of trust by demonstrating to these stakeholders that the company is actively engaged in managing cybersecurity.
After designing and implementing a cybersecurity compliance program, boards and executive teams also must actively oversee its ongoing management. Directors must oversee the individuals and teams charged with maintaining, documenting and reporting compliance and over those responsible for tracking changes to cybersecurity standards. Clear lines of responsibility and reporting are necessary, with direct links to relevant board committees.
In an ideal world, a company could choose which cybersecurity standard was most appropriate to its business and then take steps to comply. In the real world, however, most companies must comply with multiple standards. These generally fall into three broad categories:
- Standards requiring third-party audits or reviews. This group includes the various types of System and Organization Controls (SOC) audits, which require attestation from qualified certified public accountants. Other examples include payment card industry (PCI) standards, the Cybersecurity Maturity Model Certification (CMMC) standard for U.S. government contractors and HITRUST certification. Some of these standards (including PCI) allow companies with lower volumes of data to comply through self-assessments, but they require certified organizations to obtain independent validation from qualified third parties.
- Standards that require compliance without regular reviews. Although these requirements are not subject to regular examinations, they nevertheless present risk, especially if a security incident occurs. Examples include state privacy laws, International Traffic in Arms Regulations (ITAR) requirements and similar rules that generally become issues only after the fact if regulators determine they have not been managed properly.
- Optional or voluntary standards. To further demonstrate the strength of their cybersecurity programs, many organizations choose to comply with voluntary regimens such as National Institute of Standards and Technology (NIST) frameworks and Critical Security Controls published by the Center for Internet Security. Such standards can also help establish organizational direction and structure for compliance programs.
Unified control framework: An integrated approach
Despite their variations, most cybersecurity frameworks incorporate similar sets of protocols and controls. By mapping and aligning these common elements, companies can create an integrated system of controls that satisfies each framework’s most demanding requirements, thus eliminating the need for separate audits and reviews of common controls. A unified control framework also can help streamline compliance by synchronizing information, identifying overlaps and redundancies and reducing the overall compliance burden.
A thorough risk assessment is an essential early step in establishing such a program. The objective is to produce a comprehensive inventory of the various types of data the business collects, handles and maintains, along with a clear path tracing the data’s origins and recipients. In addition to developing an accurate picture of the company’s overall data landscape, this assessment should take into account customers’ security expectations and any third-party contractual requirements.
Automated governance, risk and compliance solutions can help further by tracking and managing cybersecurity requirements while also documenting control capabilities, testing protocols and the systems used to track action plans and open items.
Cybersecurity compliance is a critical business requirement, making top-down support from the board essential. By understanding both the benefits and costs of compliance, directors can be better prepared to provide the leadership needed to successfully demonstrate the sufficiency of their cybersecurity programs to all stakeholders.
Mike Del Giudice
Principal, Digital Security Leader
+1 630 575 4359
Principal, IT Assurance Leader
+1 317 208 2430