Compliance and Assurance
Compliance does not equal security. It’s not necessarily good for the business, not always anyway. Everybody in the industry has to do it, but doing it too diligently can actually reduce your competitive advantage. We think of compliance as a necessary evil.
The big question for a cybersecurity manager is how much compliance is mandatory and how much is voluntary. Compliance can mean meeting the requirements of the law or exceeding them. It can get confusing; legal contracts, for instance, may be subject to certain rigid requirements and also to some requirements that can be negotiated or renegotiated. The cybersecurity manager has to know which is which.
Compliance vs. Assurance
Compliance involves finding out what the minimum requirements are and deciding how to meet those requirements. Assurance, on the other hand, is making sure that compliance requirements have been met. Let’s say some government department wants to audit your compliance with their requirements. Assurance would be gained when they send an auditor over to check up if things are in order.
Compliance is binary—either you’re compliant or you’re not. Even if you’re 99.9 percent done, you’re still partly non-compliant. If that vague line of requirement hasn’t been fully met, even though everything else has, you’re still not compliant.
The way compliance with requirements are verified will depend on each standard. Some actions are mandatory in all instances, while others are negotiable. Auditing is required to validate compliance.
Once everything is audited, validated, and perhaps even certified, the company can demonstrate to its customers and partners that they are compliant. If a company can do that, it’s easy for the customer to consider the company safe, and other companies will feel comfortable doing business with them.
Why Compliance Fails
When compliance fails, it’s usually for one of two reasons. First, many companies go too far—way above and beyond the compliance standards—and it ends up costing too much money. For example, if the compliance project planning is done by security people, they would want to cover everything that would affect security, whether it’s required or not. Letting specialised departments handle compliance planning is a major mistake. Compliance should be overseen by a project manager or director with a financial or business focus. Don’t overdo it, and don’t let people mix their personal agendas with it.
A good practice is to have a separate budget for compliance projects and a dedicated lead for it.
The other reason compliance fails stems from misunderstanding the implications of compliance contracts. Too often, companies sign a contract without realising what every clause in the contract means. There might be additional compliance standards named in the contract; once the agreement is signed, the company is now required to meet those standards in order to stay compliant with the contract. Unnecessary requirements often creep into an organisation this way.
Compliance takes more time than companies often realise, not necessarily because the standards are hard to meet but because companies don’t know how to deal with auditors to the best effect.
If the cybersecurity manager can advocate to get the auditor involved early in the process, things progress much faster. Calling them in early on, showing them what they’re going to do, and giving them whatever documentation they need as soon as possible will speed up the process.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Make It Easy for Auditors
A note on compliance documentation: it’s best to design it so that it advances only those questions pertaining to compliance requirements and nothing else. Have your documentation follow the same structure as the compliance standard does. This way it’s easy for the auditors to find answers for their requirements.
One Signature to Rule Them All
Companies should approach compliance with the mindset of doing what has to be done with optimised effort. Understand what’s required, implement it efficiently, don’t do anything excessive, and get management to sign off on it. That’s it.
That last part can be a challenge, but a lot of compliance documentation must get approved by top management, in writing, so there is documentation at the ready when the auditor asks to see it. The cybersecurity manager will bring the written documentation to the appropriate level of management and ask them to approve it, again in writing.
What if there are twenty different documents that need to be signed off by different positions? Does the cybersecurity manager really need to go twenty different places to collect twenty different signatures? Not necessarily; that takes too long and isn’t practical.
Instead of bugging leadership over and over again, one signature can often cover as much as 30 to 40 percent of all compliance requirements related to security management!
The Magic Management Memo
The best way to achieve compliance with a lot of the requirements is very simple: take a standard and make a list of all its requirements. Start marking down the things that need to be accepted by the management, and create a management memo with a list of those things. If you have to get policies approved or reviewed, they go in. If you need to have things that aren’t compliant, put them on your risk analysis sheet. Yes! Put everything in there that’s not actually compliant and explain what kind of risk exists if each item on the requirements is not done. This is how you would have management approval of residual risks, or things that could prevent you from being compliant. You can work with the management assistant or secretary to make that memo and set up a meeting with the management. Then send over the memo with all the attachments to be approved. Once at the meeting, you need to explain to the management that when this memo is signed, all related documents and residual risks will be approved at once, and the company will get many compliance requirements done with a single signature. Explaining this in person is very important so that the management understands that getting this memo approved is a matter of gaining compliance, not a matter of lengthy debates. It’s either going to be approved, and we’re compliant, or they can decide not to be compliant. Easy call.
We have been able to pass difficult audits by very strict bodies like defence forces in as little as 90 days by using this simple approach. We know it can be done, and we have done it. Our results with our clients have been extremely good. Auditors like that the documentation, risks, and all the approvals are presented in orderly fashion; everything is easily related to their requirements; and any exceptions are communicated from a risk perspective to them. And everything has management support in writing. Quite often, the auditors have made comments like, “This was the fastest audit and compliance project we’ve ever seen, with the best results among all the companies we’ve ever audited.”