A Letter from the CISO to the Chief Compliance Officer
Erik Boemanns
Derisking technology with a lawyer's lens and a technologist's techniques. Governance, Risk, Compliance, and Security Executive supporting businesses focused on their next stage of growth.
In this series of articles, I frame the key concerns of the modern day CISO geared to the perspective of the other C-Suite members. Cybersecurity may be the specialty of the CISO, but good cybersecurity allows every executive to be more effective in their role.
In part 3, we talk about cybersecurity to the Chief Compliance Officers (CCOs) of the world.
Part 1: The CEO | Part 2: The CMO | Part 3: The CCO
In the beginning, there was compliance.
There are fewer closer relationships in the C-Suite than the CISO and the Chief Compliance Officer (CCO). CIO/CTOs’ might have the closest relationship, but it’s primarily on the execution side, as a company’s CISO can’t secure the IT environment without the support of the technology team. ?CIO/CTO’s and CISOs are a relationship of the “how” of information security.?
As the CCO, you’ll work closely with the CISO on the “why” of cybersecurity. In a perfect world, good cybersecurity is in place to protect the company assets from the beginning. But, in the early days, the belief “it can't happen to us” kept many companies from investing in cybersecurity. Thus, regulations and industry standards developed to give companies an extra nudge to do the right thing. The payment card industry launched the Payment Card Industry Data Security Standard (PCI-DSS). Healthcare data got the HITECH act to set some security standards, giving a safe harbor to companies following its baselines. And most recently, the SEC has provided rules to public companies around cybersecurity preparedness and incident disclosures.
For many companies, the journey into cybersecurity began with compliance.
Passing an audit, getting an attestation, or some indication of compliance became a requirement to continue to do business with banks, partners, and customers. Since these standards include basic cybersecurity hygiene, putting the controls in place becomes a priority.? Most data security frameworks share common controls, such as encryption at rest and encryption in motion. A company could cover many different compliance requirements with a single security plan.
While as a CCO, your responsibility grew to include cybersecurity requirements, they have always covered more than the technology side of the business. Your responsibilities extend into operations, human resources, and more.? As the CCO, you need to understand the full compliance environment in which the business operates. Not only do compliance frameworks often include information security, but they also extend into growing areas such as privacy.? Implementing privacy also has a natural intersection into technology. No matter which way you turn, you need a close alliance with the CISO.
领英推荐
Likewise, the CISO benefits from your efforts because many of the technical controls they would like to implement are also required for compliance reasons. From encryption to monitoring, and even multifactor authentication, modern compliance standards dictate the minimum bar of good information security.? When the CISO is struggling for budget approval, they often look for an ally with the CCO. Whether or not leadership thinks they need security, they typically will agree to the necessity of being compliant with the laws and regulations of the industry.
Cybersecurity is risk management.? The risk of noncompliance has been a major factor in traditional risk analysis. When building out the risk matrix, the risk of breach may be low, but the risk of noncompliance is typically high. Between audits and whistleblowers, regulatory noncompliance can be hard to hide. And when it’s discovered, the loss of business and cost of penalties provides a strong financial reason to stay ahead of the requirements.
While the CISO/CCO alliance can be a benefit, the business needs to be careful of not just doing “check the box” compliance. This may seem like a cost saving approach, but instead, it’s really a poor use of capital. When you're doing the bare minimum to meet compliance requirements, you are also not getting the true benefit of the cost being spent. The controls will never be as effective since people don’t truly believe in them. The risks they are designed to mitigate will not be as managed as leadership believes.
Creating a culture of security and a culture of compliance is a unified effort.
You and your CISO should make the efforts part of the company culture. Draft policies and design procedures built around your company values. Encourage employees to do the right thing, every time, and reward those who do. Build safe mechanisms for people to report gaps and risks. Fix them when they are found. Promote a “see something? Say something!” environment for all business risks.
Making security and compliance part of your culture aligns the CISO and CCO's efforts. It aligns the business's strategy and tactics with those efforts as well. It keeps the risk management exercise aligned with the business's goals. This alignment has the obvious benefit of lower costs and effort to implement the necessary programs.? It also allows leadership to enjoy cost-savings.? A holistic view of compliance and security allows controls to cover multiple domains.? Evidence of compliance can serve multiple audits.? Even audits may have the ability to reduce their costs, where the information can be shared.?
Lower costs, less effort to implement for the team, and more effective, real risk mitigation are the benefits to be realized when you and the CISO work together.? You can replace “check the box” compliance with real protection for the business. You can have real, measurable results to reduce risks, and keep other compliance costs, such as insurance, lower.? The return on investment is real, in preventing future larger losses.? The outcome is obvious, and the growth and success of the business will be better for it.
Make sure the CCO and CISO are joined at the hip at your company too!
Cyber Insurance | Getting Businesses Secured and Insured
6 个月??
Humanitarian missions for the military
6 个月Erik, it is interesting