Find out why the best IT security teams don’t operate quietly in the background and why that’s a good thing.
If you don’t hear about any problems from your IT security team, it’s not because you don’t face cybersecurity threats. It’s likely because they haven’t identified your cybersecurity vulnerabilities.
When it comes to cybersecurity, no news is not good news.
Your IT security group can’t just maintain the status quo or “check the boxes” to ensure you pass audits. They need to cause conflict. Why?
Compliance Doesn’t Equal Security
You read that right. Compliance doesn’t mean you are secure. The drive to match up cybersecurity plans with common cybersecurity control catalogues is more often driven by a desire to obtain and maintain compliance with industry specific certifications. Certifications have become the key for businesses to trust businesses that have obtained a desired certification. Thereby indicating that the company’s information security or cybersecurity plans are established, tested, and effective.
Third-party audit organizations such as PricewaterhouseCoopers, Ernest & Young, and Deloitte can be an expensive engagement and demonstrates a company’s commitment to achieve compliance certification. They are performed to provide detailed reviews of a company’s cybersecurity programs in hopes to obtain various certification signoffs.
“It’s critical to remember that many—if not most— breaches disclosed in recent years occurred at compliant businesses. This means that PCI compliance, for example, has been unable to prevent numerous retailers, financial services institutions, and web hosting providers from being breached.” — Security Week
Do these third-party audits truly provide insight into a company’s ability to implement their cyber plan and perform incident response when needed?
Unlike government implemented processes, the methods in which these third-party organizations employ to perform their audits can see dramatically different results. For
auditors that rely on partial sampling of auditable materials from within each of the various control families, gaps in security controls can go undetected and be masked by the presentation of large volumes of verbose policies and procedures.
The risk is that they merely validate that, what is prescribed as a standard exists in the company’s policies and procedures. It is certainly not a real test of a company’s effectiveness to protect itself.
Checking the Boxes Doesn’t Mean Your Company is Secure
Verifying all the required checkboxes on an auditor’s compliance matrix doesn’t ensure a company is secure. Compliance has become an exercise to help company executives sleep better at night.
A Balance Between Compliance and Security
The pursuit of compliance is a noble cause but there must be a balance between security and compliance. If your security team only focuses on compliance, your organization will face increased risks. Compliance-focused requirements are static while a security model today is usually dynamic. The speed at which technology and cybercrime changes make it very difficult for current regulations to drive best practices in security.
Companies must abandon the least-effort, box-ticking approach to compliance in favor of a goal-driven mindset that focuses on protecting customer data rather than filling out compliance forms. Therefore, a company must take a comprehensive approach to IT security that protects all your information and assets, including your mobile devices and users.
One key area to address is your risk tolerance for each system or device, as they require different levels of protection. For example, not patching the receptionist’s laptop isn’t as important as not patching your enterprise resource planning (ERP) systems. Your team should review the criticality of each system and decide which security measures to put into place. They also must suggest aggressive measures to protect your data. Even if their recommendations provoke disagreements. The most successful IT security groups start challenging conversations that cause conflicts amongst stakeholders.
When it Comes to Cybersecurity, Get Comfortable Being Uncomfortable
To gain an accurate understanding of your security risks, you must get comfortable with these uncomfortable conversations. For example, many managers view patching as disruptive and don’t want to take the time to do it. Your security team must show them why patching is important and the risks of not keeping your company’s devices up to date.
- What would happen if a hacker broke into your smartphones or tablets?
- What information could they steal and make public?
- How would this put your company’s finances or reputation at risk?
Your security team should make leaders at your company uncomfortable for a short time while they update your patches, as the business benefits outweigh any immediate, short-term hassles. They must manage any conflicts that arise when they identify threats and suggest measures to keep your data safe. These discussions won’t always be easy, but they are critical to successful a security strategy.
Next Steps
To learn more about how to be prepared for the next generation of IT security threat, read The Ultimate Guide to Enterprise IT Security. You can also contact us today to discover how we help you with your cybersecurity.