Numerous IT and cybersecurity frameworks exist that have been developed to assist organizations in implementing and validating controls to secure their information and systems. These frameworks have been built on best practices to prevent or mitigate threats and vulnerabilities; however, the challenge for organizations is understanding which framework will deliver the most value to their business. This determination includes the consideration and balance of several factors including the sensitivity of the data being utilized, business modes of operation, the technology stack and ecosystem, regulatory or contractual requirements, the impact to users or customers and, as always, available resources. In light of these challenges, how should an organization proceed?
A common and appropriate answer would be with a risk assessment. This would help the organization to understand the risk facing the business and evaluate it based on potential impact. But a common hazard when conducting a risk assessment, which includes the risk of noncompliance with regulations and contract requirements, is the skewing of objectives toward compliance at the expense of security. This is a common issue in highly regulated industries such as defense, energy, healthcare and financial services, where the penalties for failing to adhere to regulations could severely impact the business, and thus more attention is paid to being compliant with requirements versus ensuring controls can effectively meet existing threats.
This phenomenon is exacerbated by the increasing regulatory requirements being heaped on organizations. Large enterprises with a global footprint must navigate an ever more complicated gauntlet of regulations related to privacy and consumer and investor protections at the country, state and local levels, which are often accompanied by prescriptive requirements. This results in resources being spent to ensure that boxes are being ticked to satisfy compliance requirements associated with all the statutory and contractual obligations the business is subject to.
Given that this is the current reality and any hope for reciprocity or consolidation between regulations does not appear likely in the near future, organizations must evaluate how security practices can be designed to satisfy numerous regulations while effectively addressing business risk. Some high-level actions organizations should consider include:
- Start with an objectives-based approach—Organization should understand what objectives need to be met. Although there are many frameworks out there, most share many of the same core tenets. These are the basis of a sound information and cybersecurity program and although the wording of controls may differ slightly or there may be a specific nuance of one control vs another, generally they are aiming to accomplish a similar objective. For example, the concept of least privilege is focused on ensuring that users and services are only permitted to access the information, applications and functions that are required to perform their work. Although there are many controls across frameworks to address this, the core objective is the same.
- Complete requirement and framework mapping—Organization should understand the explicit requirements of any regulatory and contractual obligation, such as multifactor authentication, encryption at rest and in transit and access control. This will allow them to determine what their must haves are and be able to evaluate (or map) which frameworks contain controls that would effectively meet those requirements. Certain frameworks have been designed to meet specific regulations, such as HITRUST in response to Health Insurance Portability and Accountability Act (HIPAA). When combined with the knowledge of the objectives to be met, the organization can design security practices that satisfy multiple requirements across frameworks and align with business processes.
- Determine additional discretionary controls—As discussed, being compliant does not inherently mean that an organization is secure. Additional cybersecurity and data protection controls that address voluntary industry practices or internal requirements should be implemented to meet the organization’s risk appetite and objectives.
- Coordinate and communicate—Coordination across internal functions is key for any successful system of internal controls. Functions such as operations, management, IT, legal and compliance all serve a distinct purpose but must coordinate to achieve the organization’s objectives. Similarly, stakeholders from each function should understand the role they play in meeting internal controls and where touchpoints and dependencies exist. Any framework utilized by a business must consider the contributions of functions across the organization.