How to Easily Evaluate the Security of Your Environment Against the Leading Compliance Frameworks

Over the years, I’ve come to realize that people are decidedly different from each other. Not much of a revelation, I admit, but still there is a shocking different between knowing something and actually experiencing it on a first-hand basis. For me, cybersecurity is about a war of minds between the good guys and the bad guys (who occupies each group is outside the scope of this piece. Basically it depends whether you view hackers as closer to Robin Hood or to Atilla the Hun).

The bad guys want to hack inside and the good guys try to keep them out with technology, manual operation and security expertise. What logically followed – in my mind at least – was that the ultimate criteria for choosing a security product is how well it blocks attacks. The more advanced, the better.

However, once I started to interact with companies – small, mid-sized or enterprise are all the same in this aspect – I discovered another candidate for the ultimate security project driver. And to be honest, this guy is bigger than all the rest.

His name is COMPLIANCE.

It’s not that compliance is not about protecting from getting breached – its roots are definitely there somewhere in dawn of times. Today, however, compliance is mainly about complying with whatever is hot – PCI-DSS, GDPR, you name it.

Sarcasm aside, it does make perfect sense. Apparently, management can intuitively grasp the concept of ‘You were hacked –> private data was compromised -> you didn’t comply with regulation XXX -> therefore you’re subject to zillion-dollar lawsuit.’

So, if you’ve built a really outstanding piece of security technology that has the potential to drive some impact, turn the tables on the attackers, rebalance the cybersecurity equation or restore cosmic order in any other way – take this piece of advice: you’d better make sure that your baby helps organizations to comply with something – if you really want it to play big out there.

On second thought – not something. Somethings (note the majestic plural). Some regulations. Not just some regulations from the street, but the crown jewels. The ultimate team. The magnificent seven, the top guns.

To paraphrase from Animal Farm – all cybersecurity regulations are equal but some regulations are more equal than others. There is, in fact, a group of regulations that almost every organization needs to take into consideration at some point or another. There are probably very few that comply with all of them, but most to all companies will work at least with one.

And if you checklist your security stack against each of them and score high, it means that you’re not only covered from the regulation perspective – it means that your environment is significantly more resilient to cyberattacks than the industry’s average level. Which means that your chances of getting breached are low, so at the end of the day compliance and breach protection indeed converge into making you more secure.

Who are these hotshot regulations or security frameworks? From my experience I would suggest the opening four: NIST Cyber Security Framework, HIPAA, PCI-DSS and GDPR. While somewhat subjective, it is fairly easy to show how both their content and prevalence make them regulation all-stars.

We at Cynet decided that each and every security stakeholder must have these frameworks at-hand to be able to easily evaluate where his or her security level stands against these regulations. The Comprehensive Compliance Guide contains easy-to-use assessment templates for the top four frameworks, enabling each CISO, CIO or security director to get immediate insight into the security level of his/her environment.

While not a replacement for a fully blown third-party auditing process, the template provides an excellent way to unveil what works and – much more importantly – what needs to be improved.

So, step one – choose wisely what you want to comply with. Are you doing business in the EU? GDPR is probably a must. Do you process card data? The shadow of PCI-DSS is upon you. And so on and so forth.

Determined what your need? Great. Now, download The Comprehensive Compliance Guide and start rocking. Ideally, you’ll discover all is perfect with your compliance of choice. Realistically – you’ll probably discover some gaps that need mending. Now, you can really make an informed decision on which security projects are the important ones that you need to get rolling.

Download The Comprehensive Compliance Guide here.