Home Features CISOs Must Declare an End to the War Between Security and Compliance

CISOs Must Declare an End to the War Between Security and Compliance

Compliance should be the outcome of the security best practices implemented and operating effectively at an organization.

cybersecurity practices, Automotive Cybersecurity

The time has long passed for CISOs and other security leaders to shift their perception regarding cybersecurity compliance assessments. These assessments have traditionally been viewed as nuances that you have to undertake because a prospective customer or other interested third-party is demanding a compliance report. Senior executives understand these assessments are not going away, the requests are increasing and becoming more challenging to understand and address.

By AJ Yawn, Co-Founder and CEO of ByteChek

These mandatory assessments are not nice-to-haves; they are required to conduct business in the modern Business-to-Business (B2B) space. You will be hardpressed to find a vendor management or supply chain process that does not involve questionnaires or requests related to cybersecurity best practices. According to a recent survey of North American CISOs, CISOs are preparing for an average of 3.3 security compliance standard audits over the next six to 12 months. That’s a lot of audits!

Three cybersecurity assessments a year is not a light undertaking, these audits are significant financial and operational investments. A typical cybersecurity assessment involves months of meetings, emails, evidence request lists, and your team spending hours in interviews with third-party auditors. The audit interviews pull your team members away from their day jobs, causing delays or other issues with important tasks to continue to grow your business. Along with this operational disruption, every CISO knows that these compliance assessments are not cheap. These assessments cost tens of thousands of dollars in most cases and are required to be renewed annually.

Cybersecurity audits are not going anywhere, and the investment is not insignificant. Investing significant time and money should result in significant value add to the organization right? In most companies, the sales teams, marketing teams, Board members, and other executives realize the benefits of completing a cybersecurity audit. These leaders have experienced several benefits from the achievement of a cybersecurity compliance report such as unlocking sales, entering new markets, or establishing trust with interested parties. Those are all important benefits and ostensibly help the bottom line. However, it is time for security practitioners to receive benefits as well. The value that security professionals should receive and begin to expect from a cybersecurity compliance assessment is — better security.

Compliance should be the outcome of security best practices

I know it’s bizarre to associate compliance with security, and we’ve heard the saying “compliance is not security.” This article is not disagreeing with that statement, I agree that compliance does not equal security and do not think it ever will. Meeting a particular compliance framework or standard does not mean you are secure or won’t be breached. The stories of companies that were breached and recently underwent third-party audits are well-known. Compliance should be the outcome of the security best practices implemented and operating effectively at an organization.

Security leaders should begin to rephrase that statement to “security IS compliance.” When you abstract the core concepts from different frameworks, you see many similarities and repeated themes. Privileged access, onboarding, and offboarding procedures, vulnerability management, network security, and availability of resources are all concepts you can find across multiple compliance frameworks and standards (PCI, SOC 2, ISO 27001, HITRUST, etc.). These concepts are security concepts and not compliance-specific requirements. Implementing a robust vulnerability management program that identifies, tracks, and remediates vulnerabilities to protect your system is good security. It just happens that implementing a vulnerability management program will help you address requirements in a SOC 2 examination or an ISO 27001 certification. Similarly, ensuring that only authorized users have access to your sensitive resources and those users only have access to resources that they require to do their job is good security that also addresses multiple compliance standards and frameworks.

Focusing on security will enable auditors and organizations to critically evaluate the security risks you face, abstracted from the compliance framework relevant to your company. Often audits are not seen as valuable because they are only concerned with the prescriptive requirements of the standard or framework without considering the unique security risks and threats that a company is facing. If an organization is hosted on Amazon Web Services (AWS), there are certain controls and threats that should be considered from a security perspective, irrespective of the compliance framework you are being assessed against.

For example, any organization hosted on AWS understands the threat of storing sensitive data in an open Amazon Simple Storage Service (S3) bucket. However, S3 bucket security doesn’t fit neatly in any particular cybersecurity compliance framework. Should that matter? Whether or not S3 bucket security maps to a requirement should not determine whether that potential misconfiguration is evaluated by a third party hired to assess the cybersecurity risks you are facing. It doesn’t make sense for an organization hosted on AWS to undergo a cybersecurity assessment without their third-party auditors evaluating their S3 buckets’ security.

This is a two-way street, security leaders within the organization have to want a focus on security during their audit, and auditors need to understand the technical environment to focus on security. This understanding will allow the auditor to perform a technically accurate assessment that is not based only on a standard or compliance regulation but also considers the true security risks facing their clients. Understanding compliance standards and the technical environment is a sign of a strong auditor that is adding value to their clients. As we take a look at the S3 bucket example, while that concept does not fit neatly into a cybersecurity framework. A technical auditor will be able to identify compliance requirements or standards that S3 bucket security does relate to and incorporates that into his or her audit. A strong auditor knows that S3 bucket security is relevant to the AICPA SOC 2 reporting framework, specifically criteria CC6.6 and CC7.1, ultimately resulting in a stronger security-focused report.

Focusing on security helps enhance the other realized benefits of cybersecurity audits as well. Your security-focused compliance report can be used as a differentiator during the sales and procurement process. As auditors and internal security leaders come to an understanding that security is the most critical aspect of these assessments, the security profession will reap the benefits of greater trust and security between companies operating in our interconnected world.

This story first appeared in the November 2020 issue of CISO MAG.

About the Author

AJ Yawn - ByteChek

AJ Yawn is the Co-Founder and CEO of ByteChek. He is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.

AJ advises startups on cloud security and serves on the Board of Directors of the (ISC)2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and (ISC)2.


Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.