Why am I here?
I’ve been an information security assessor (PCI, HIPAA, ISO, etc.) for a long time and it’s always interesting to find out why a company has brought me in to do an assessment.
Is the goal to shore up their existing security environment, or just check a compliance box to make one of their clients or vendors happy? The answer to that question will usually determine the assessment’s success.
The path you’re on determines your outcome.
What surprises me most is that many of the companies I visit are still trying to check a box and not change their processes or approach to security.
Yes, it costs money.
Yes, it means you have to pay attention to what your employees are doing with their phones and their email.
Yes, it can even mean hiring someone or outsourcing to support your environment for logging, monitoring, patching, whatever…
But responsible CISOs, CIOs, security managers and the like must do these things in the environment we live in today. And more bad news… it’s not going to be getting easier or better!
What’s your desired outcome?
As I mentioned above, the path you’re on (either compliance or security) determines your outcome. If your path is compliance focused, then your outcome will at best be a checked box.
By contrast, the security-focused path leads to a holistic organizational outcome. Below are three examples of what that looks like.
Example 1: The C-Suite is involved
In the security-focused organization, I will speak with a CISO, CIO or even the CEO while doing an assessment. This wasn’t the case just three or four years ago, but now the C-suite guys and gals are engaged, ask really good questions, and want to know how they stack up against other companies. This is very encouraging, because it means they are looking at securing the organization and not just checking boxes.
Example 2: Change is embraced
Organizations that are security focused understand that CHANGE is involved in remaining secure and compliant! Cyber criminals and their tools and techniques are definitely not staying the same, and smart organizations continuously adapt by incorporating the latest techniques for threat monitoring, detection and response. What’s more, ISO 27001/02, NIST 800-53, HIPAA and HITRUST provide frameworks, requirements and guidelines to help establish a security program, and implementing them almost always requires organizational change.
Example 3: Security is part of each decision
A good information security program will base every decision around security; it’s not the last thing looked at, but is an integral part of the process from beginning to end. This is often an alien concept or gets in the way of the main reasons for business, which are making money and keeping a good bottom line, so the challenge becomes a balance between security and operations. I will tell you that the good companies are making it work.
Set your course for security and compliance will go along with it.
Here’s something else: Once you start looking at security as part of every decision, something amazing happens… COMPLIANCE! You see, if you build secure systems, have an Information Security policy framework, and consider security as part of every project, the compliance becomes a by-product.
Instead of the once-a-year mad dash of the time and resources you spend trying to be compliant, it becomes a daily routine. Nothing extra, just part of the process. Your staff understands what they need to do every day, and your organization has the processes and procedures to maintain a strong security posture!
So, what’s it going to be? The annual compliance mad dash or the ongoing security process? I can’t tell your organization what to do, but I know what I would choose!