Cybersecurity Compliance vs. Commitment - Building a Cyber Resilient Organization

As a senior cybersecurity consultant, I am often asked to evaluate and assess risk or help clients to become “compliant” with regulations such as Payment Card Industry (PCI) – Data Security Standard (DSS), Health Insurance Portability and Accountability Act (HIPAA) or any other lawful regulatory requirement. During the course of my assessment, I conduct interviews with employees who start our conversation with “we are HIPAA and PCI compliant” which prompts me to return the question “What does that mean”. Too many people think that because a company has met the compliance requirements, that their environment is secure. I am here to tell you in most cases that it is not.?

Merriam-Webster defined compliance as a: the act or process of complying to a desire, demand, proposal, or regimen or to coercion b: conformity in fulfilling official requirements.??The PCI-DSS standard states that environments must be separated to isolate the credit card processing from the rest of the enterprise.??Some companies are lulled into thinking…I am secure if I do that. NO…not totally correct.??Simply using a firewall to isolate an environment does no good if your firewall is running firmware version that has known vulnerabilities and is “end of life/support” from its manufacturer.??

So how then do companies ensure that they are not just complying with regulatory requirements but are committing to securing their enterprise???Companies commit to securing their enterprises by implementing information security controls recommended by organizations that develop and disseminate valid, reliable, and defensible standards like the National Institute of Standards and Technology (NIST), American National Standards Institute (ANSI), the Center for Internet Security (CIS), or the International Standards Organization (ISO).

How does one prove that the electronic health record is secure as well as its transmission???I would say to ensure that the person(s) who are supposed to have access are the only ones who have access and that even those people are forced to use more than just a complex password to access such as some sort of multi-factor authentication (MFA) that can verify real time identity. I would also suggest that some mechanism is in place to ensure that the record’s integrity stays the same as intended by employing digital signatures that use a NIST approved digital signature algorithm.??I would lastly suggest that that the health records be secured in a fashion that ensures availability when needed. After all of that...the critical question is always…” well how do we do that?”?

In securing today’s distributed computing environments (DCE), too many executives are only concerned with the “what” of information security and the not the “how”, “why”, and “when”. They want to be able to stand up in front of the world and say “We are compliant” but have no clue what that means. Typically, anyone can SAY they are compliant simply by answering "yes” to the auditor’s questions. The true value of securing your enterprise rests with the company’s executives endorsing a firm commitment to information security, and not just compliance.?

In my course lectures, whether I am teaching a class in leadership, management, or information security and compliance vs commitment, I use the analogy of the chicken and the pig at breakfast to explain the difference between commitment and compliance. You see, the chicken just provides the egg to the breakfast meal and therefore complies with the contribution to the meal. The pig on their other hand, provides ham, sausage, and bacon and is thereby fully committed to the breakfast contribution. In information security, organizational leaders must transform the mindset of team members to commit to securing the data and information assets much like they would their own personal data. Simply complying with a regulation has never been nor will it EVER be the most effective cyber defense.

Now I could go down the path of the people aspect of cybersecurity which is an overlooked concept that I will write about in a separate series, but for this article, I will stick to helping you understand the differences between complying and committing to information security. Merriam-Webster defined committed as?having made a pledge or commitment to someone (such as a romantic partner) or something (such as a cause). In this case the someone is the stakeholders and the something is information security. Today’s information security requires that corporate leaders commit to the stakeholders that they will influence employees to commit to securing organizational data assets. Compliance with PCI, HIPAA, or any other regulation alone will not reduce the risk of getting breached. Ask the countless healthcare companies who were HIPAA compliant and got breached. What about the retail organizations that were PCI compliant and got hacked? Why? It’s because until you put in the work to assess risk, apply appropriate controls, and make risk-based information security decisions, your cybersecurity risk is not magically mitigated because you complied with HIPAA or PCI. Well then how do I commit to information security instead of complying you ask?

Well first, I want to let you know that committing to information security entails applying the appropriate level controls after assessing risk so that you CAN comply with regulations. Filling in blanks on compliance questionnaires won’t get this done. I have some steps that you can use to start your journey of commitment to organizational information security:

1.?????Obtain executive endorsement to establish information security risk, program, and control frameworks. This means; in simple terms, establish and FUND information security governance and management functions. If you must go to the board and ask for money, do that, if you must restructure funding set aside for a company function that is run by your friend but hasn’t turned a profit in the past three years, do that. If it means removing some of your bloated executive staff positions, do that. If it means a total company restructure, do that. You must lead your company to secure your data and information assets by any means necessary…now; not after you get breached and/or hit with ransomware.?

2.?????Select a valid, reliable, and defensible information security standard for your risk, program, and control frameworks. Building an effective and efficient cybersecurity function requires that you establish an information security risk, program, and control framework all of which work interdependently to enable you to secure your enterprise. Some popular standards are provided by the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and the International Standards Organization (ISO).??

a)?????The risk function is grounded in governance and should be a business function that informs the CEO of corporate cybersecurity risk. The CEO must then determine the company’s risk tolerance level and the risk response methodology to mitigate said risk. Is the answer to buy more cyber insurance? Fund the refresh of old antiquated, end of life, out of support operating systems, software, and equipment? Whatever the response, the CEO is responsible for making and endorsing the most effective risk informed decision that mitigates the organization’s level of cybersecurity risk. NIST and CIS both have risk assessment methodologies that provide excellent stepwise guidance on how to properly conduct a risk assessment by evaluating threats, vulnerabilities, likelihood, and impact to determine the level of information security risk for the organization. Be sure to inform your risk assessment by integrating a valid, reliable, and defensible threat tactic and technique identification authoritative source such as the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.?

b)?????The program function is the middle component that should link the risk framework with the control framework. This too is a governance component but should be the responsibility of the chief information security officer (CISO) to establish and maintain the information security program. A popular security program framework is the NIST Cybersecurity Framework (CSF) which provides guidance for how to effectively manage cybersecurity risk. “The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover” (National Institute of Standards and Technology, 2018,?p. 8).??The keywords here are concurrent and continuous.

Implementing the CSF should be done by concurrently launching the functions and continually working to apply based upon the level of risk exposure to the organization. In addition, I would also like to let you all know that the implementation tiers listed in the CSF are NOT intended to be levels of maturity as so many compliance software vendors tend to tout to sell their products and services. NIST advises:

The Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Ranging from Partial (Tier 1) to Adaptive (Tier 4), Tiers describe an increasing degree of rigor and sophistication in cybersecurity risk management practices…While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier 2 or greater, Tiers do not represent maturity levels. (National Institute of Standards and Technology, 2018,?p. 8).?

c)?????Finally, the last component of implementing an efficient and effective cybersecurity program is to establish a control framework. Controls fall under the cybersecurity management effort which is distinctly different than governance. The management actions feed the governance effort which allows the executives to make risk informed business decisions as they pertain to cybersecurity.?

NIST Special Publication (SP) 800-53 and CIS version 8 both recommend valid, reliable, and defensible standards that should be applied to secure the enterprise.??I was once asked by a client “How do I know when I have implemented the NIST CSF?”. I advised that the CSF is a continuous process, but the subcategories are validated by applying the appropriate controls.??Controls answer the question “HOW do we secure our enterprise?”.?

3.?????Train your employees in cybersecurity awareness. I don’t mean give them the old tired once a year 15-minute video training and expect them to remember what a potential phishing email looks like for the rest of the year. I mean devise a training program that makes employees think twice about any suspicious email or social engineering attempt.?

Everything does not have to be formal training, but you should run phishing testing campaigns at least once a month or send them short 3 to 5-minute videos which will earn PTO credit for watching. ANYTHING that incentivizes or motivates your people to increase their level of cybersecurity awareness will work towards mitigating the risk to your data and information assets.??It takes a concerted, combined, and collaborative effort to keep your people trained in cybersecurity awareness. The more they know, the less you time you have to spend recovering from a cyber-attack because an untrained employee clicked on the email with the brown and yellow UpS logo (yes…that how it would look too).?

4.?????Implement basic cyber-hygiene controls today.??If you do not have the budget, time, or resources to build a formal cybersecurity program right now, at least do the following:

a)?????Inventory all your hardware and software assets - know what is on your network so that you can know what doesn’t belong. A popular critical thinking exercise is to practice intellectual humility which is making the effort to determine what you don’t know.??By taking and keeping an accurate inventory, you will have a better chance of discovering unauthorized devices and software connected to your network.

b)?????Invest in a reputable vulnerability scanning and patching technology or service – most breaches originate either from initial access gained from unpatched exploits or phishing attacks.??You must know what you don’t know about your devices and software. Vulnerability scanning and patching mitigates the risk that attackers use known exploits to gain access to your network.

c)?????Ensure you have encrypted backups; at least three copies, with at least one of the three offsite – BACKUP, SCAN, AND VERIFY YOUR DATA. In the case of a ransomware attack, it is imperative that your backups are not accessible to those who wish to maliciously encrypt your backups to take away your capability to recover. Good backups are golden.

d)?????Audit your users, especially users with elevated access – you need to know who has access to what, how long they have had and still need the access and why. Be sure to conduct this audit every quarter. You will be surprised how many people with administrator access think they still need it to do their jobs…and do not. Just ask them when they logged in last or just check the logs yourself. Oh, also, make sure privileged (elevated access) users have a separate login and password for their everyday, normal user activity. Don’t let your admins use their elevated access credentials to conduct normal activities like checking email and accessing shared drives.?

e)?????Establish a standard security hardened configuration for all devices in your enterprise – make sure that you develop configurations using a standard security benchmark like those published by CIS to ensure that you have uniformity throughout the enterprise. Trying to support 80 different configurations is a nightmare for support desk personnel.?

The items I listed above are but some of the things you can do to get started on your road to committing to information security cyber-resilience. It is imperative that you learn the difference between information security compliance and information security commitment. Learn to develop good cyber hygiene practices so that your company commits to information security which will enable regulatory compliance with several agencies.?

National Institute of Standards and Technology. (2018).?Framework for improving critical infrastructure cybersecurity: Version 1.1.?(). Gaithersburg, MD: National Institute of Standards and Technology.?https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf