I remember shopping for posters to decorate my college dormitory room. One poster proclaimed, “The job is not finished until the paperwork is done.” I will not describe the accompanying photograph that made this poster funny. Compliance is like the paperwork. You do the work to make your network and information secure. Now, with compliance, you demonstrate that you did the work.
When I talk about compliance, I am referring to compliance with a cybersecurity standard. CIS Controls and NIST 800-171 are two examples. Compliance asks whether you have implemented the controls specified by the standard. In some cases, compliance also asks that you show your work.
Cybersecurity Standards Point the Way
I have found cybersecurity standards to be valuable in guiding an organization as they assemble their security program. As I have said ad nauseum, there is no single SKU for cybersecurity. There are many layers to cybersecurity (see my posts on Zero Trust, for instance). Each of these layers takes up a different aspect of security and has its own recommended policies and actions.
Think of these cybersecurity standards as building codes. A building code does not tell you how to build a house. But the code does tell you important information, such as how must space to allow between wall studs or what wire gauge you should use for electrical wiring.
I have worked with customers to create their cybersecurity programs, using these security standards. We have typically followed these steps.
- What is the security control?
- Is the control applicable to our situation?
- What must we do to implement the security control?
- How extensively do we want to implement the security control?
So far, so good. We look at the controls, decide which we want to implement (and how far we want to go) and create the action plan to accomplish the work.
Compliance Means Showing Your Work
Compliance adds another layer. Not only do you do the work, but you also must show your work. Meaning, you must provide evidence that you have written the policies, implemented the access restrictions, etc. that together comprise your compliance with this cybersecurity control.
What would demonstrating compliance look like? Here are some examples.
- A copy of the policy that covers this area of cybersecurity.
- Screenshots of the conditional access policies you have implemented.
- Penetration test/vulnerability scan results.
Why Compliance Matters
Some of you will not need to bother with compliance. You have implemented your cybersecurity controls. You will measure your success in the network’s ability to resist intrusions and attacks.
Some of you will not get off so easy. If you are working with a national government agency, they may require that you show compliance to a cybersecurity standard. If you fail to show compliance, you may be jeopardizing future sales or qualification for funding.
Even more likely, you may be required to show compliance in order to obtain (or renew) a cyber insurance policy. Cyber insurance companies want to reduce their risk by ensuring that the organizations they underwrite have implemented appropriate cybersecurity controls. Your property/casualty insurer wants to know how far your house is from the nearest fire hydrant. Your cyber insurance carrier wants to know if you have run a website scan in the last six months.
Do You Need a Compliance Management Tool?
Most likely, the tools you will first use to manage your cybersecurity program are Word and Excel. If you need to demonstrate compliance with a single cybersecurity standard, these tools will be sufficient. But what if your organization operates in a dozen different countries, each with its own cybersecurity standard? What if you need to let a government procurement agent inspect your evidence of compliance? And what if your cyber insurance carrier wants quick answers to its audit questions about your cybersecurity compliance?
In each of these cases, you may want to use a tool to manage your cybersecurity compliance. I have written about one tool, ComplyUp, before. It conveniently provides one workspace to work through compliance with a standard. There are sections devoted to requirements, level of compliance, plans of action and milestones, and evidence of compliance. If you want a single repository for managing all of your activities, a tool like ComplyUp will make your life easier.
First, you did the work. Now, you must complete the paperwork. That is compliance, and you are likely to encounter it sooner or later. Make sure you have the tools and help you need to meet that compliance need.