A Checkbox compliance mentality can be very costly

Compliance is a worthy adversary, and as I witness every day, it is a substantial burden for many organizations. As a security consultant, my focus is information security with specialties in network controls and data monitoring—think firewall, SIEM, and those kinds of things. Because these controls tie into many compliance standards, I must be aware of many different issues that tend to organically translate into advice and consultation in my daily professional life.

The reality is that compliance is hard.  Many different governing bodies and there is no single answer as a lot of standards must be interpreted based on the specific business in question. As the IT world grows, so does its compliance burdens. Standards like HIPAA, PCI, GLBA, and other regulatory constructs are challenging for small- and medium-sized businesses (SMB) because they do not generate revenue. Instead, they create a cost center and therefore are under constant budget pressures. The language of compliance is broad, confusing, stressful, and unrelenting.  So, it’s easy to see how a checkbox compliance mindset grows from these stressors.

While compliance issues are demanding,  venders don’t always help. Common marketing materials cover as many compliance areas as possible to lure you into buying their products or services. Too often, a lot of promises are made, and contracts are signed only to find out that the solution deployed will not entirely fill your needs. The shortfall likely forces you to buy other components from other vendors in an attempt to piece together a full solution set.

Products and solutions from multiple vendors overlay and can quickly get out of hand leading to costly and time-consuming maintenance, poorly integrated solutions, and other points of stress. This checkbox compliance approach often winds up being as expensive as slowing down and taking a more focused approach.

Enterprise businesses have teams that focus on business audits and are better staffed to handle these burdens, but SMBs do not always have this luxury. But, while compliance is hard, it is not impossible. Laying the foundation is essential, and as you build your infosec program, data and risk should be central areas of focus. Data is the foundation of compliance and understanding where your data lives, where it transports, and who can access it, is paramount to defining every policy and component of your program. Risk tells you where to focus your efforts and allows you to understand where controls should be placed and introduced into an estate.

As escalating compliance demands become the norm, SMBs are faced with the possibility of more substantial fines penalties than ever before. And, because audit management is not the focus of most SMBs, getting ready for audit is often like a new, inefficient process every time. However, a focused approach, rather than a checkbox compliance mindset, allows businesses to develop better processes, define effective scopes, and build repeatable procedures. As compliance approaches are being developed within your company, the following are some tips:

  • Risk assessments are our friends, serve to guide our focus, and are the first steps to building a proper compliance and information security program. IT is a cost center and explaining the price of risk helps executives to understand the importance of the funding of these programs.
  • You will need multiple vendors, but choose based on your scope, not based on compliance in general.
  • Understand your data, both at rest and in transport.
  • Keep audits focused, and don’t try to solve for every burden—the best way to attack compliance challenges is to stay focused.
  • Understand that ignorance is not a defense that works within today’s environment. Claiming ignorance doesn’t work, but an understanding of reasonable effort is always in play. We all know you do not put a million-dollar fence around a ten-dollar horse, but we must protect our customers and our employees.

Compliance can be achieved and maintained if you build the right program. Finding that magical program or solution is not what helps your business, but creating focus allows you to avoid feeling like it is day one again at audit time.

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.

Healthcare

Affordable defenses for a sector under attack.

Retail

SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.

ACET

Automated Cybersecurity Examination Tool

HIPAA

Health Insurance Portability and Accountability Act

PCI DSS

Payment Card Industry Data Security Standard

FFIEC

Federal Financial Institutions Examination Council

GLBA

Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.

Resources

Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.

Careers

Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.