Compliance is a word that gets thrown around in IT circles. It's the thing you hope your organization will achieve, but it's also often treated as an annoyance to deal with when an auditor comes calling. But compliance is more than just adherence to a standard—it's about ensuring that the right systems are in place and working correctly. An organization can be compliant without being secure if those policies and procedures are never enforced or maintained over time, but by using compliance as a tool for measuring risk and driving change within an organization, security professionals can establish trust with executive leadership while also taking control of their own destiny, even if they don't have complete freedom over how all aspects of their job get done every day
Compliance is the security referee
Compliance is not just a compliance officer's job. Compliance is the security referee that makes sure everyone plays by the rules. The security referee who makes sure that everyone follows the same rules and enforces those rules in an unbiased manner, regardless of how much money or power they have.
Documentation, documentation, documentation
Documentation is critical!
It's the only way you'll be able to ensure compliance with regulations as they evolve and change. It's also the best proof that you're doing what you need to do in order to stay in compliance. In short, documentation is everything!
- Processes need to be documented.
- Processes need to be followed.
- Processes need to be managed.
- Processes need to be audited.
- Processes need to be updated.
- Processes need to be reviewed, which means that the process needs a review of its documentation and its implementation status on a regular basis (usually annually) so it can continue supporting the organization's goals and objectives, without becoming obsolete due to changes in technology or business practices over time.
That is why we created Polygon. To automate policy process management.Get early access to Polygon and see how we are shaping the future of policy management!
Only what's measured gets done
Measurement is a key ingredient to any successful project. In the context of compliance, risk management and security management, it is critical for several reasons.
First, measurement allows you to see what's working and what isn't. If you're doing a good job at something that you don't measure, then how do you know? It's easy to fall into the trap of thinking everything is fine when in reality nothing may be getting better or worse. The only way out of this trap is by measuring progress towards your goal on a regular basis so that you can identify issues as they arise — whether they are related to compliance, risk management or security management — and fix them before they become too large of an obstacle.
Second, measurement allows us all to share our struggles with others who may be having similar challenges but don't know where to go for help or guidance because no one has been measuring their efforts thus far (or if they have been measuring those efforts previously but didn't know how). This gives us all something tangible from which we can derive conclusions about what worked best (and worst) during previous attempts at achieving our goals so that we can replicate those successes going forward while avoiding repeating any mistakes made along the way. Thirdly – most importantly! – measurements allow us all some degree of accountability: It becomes very clear which projects aren't being completed on time because there wasn't enough manpower available due too many other competing priorities; which departments haven't allocated enough money toward fixing critical problems within their own systems yet still expect immediate results from other areas without contributing anything first themselves; etcetera…
An isolated incident probably isn't an isolated incident
Just because an incident is isolated, doesn't mean it's not part of a larger pattern.
- The incident may be the tip of an iceberg. Many customers don't notice when they are being attacked by malware and phishing emails because they don't know what to look for or how to protect themselves. A few do report their incidents, but many do not and this means that not all incidents are reported; some might go undetected or unreported until a major incident occurs that causes reputational damage to your organization. In addition, if an attacker is targeting multiple companies at once, you could be unknowingly part of a larger attack on others in your industry where you could be providing support services for them (for instance: shared hosting).
- The incident may be part of a pattern of events that lead up to larger attacks against your company or other organizations in your industry: For example, if there have been previous attacks against similar firms over a period of time with similar motives and methods used by attackers who appear to work together based on similarities between their toolsets/techniques/etcetera then this should raise concern with regard to whether or not this latest attack is also related; perhaps even directly leading up towards something bigger down the road as well.*
Compliance can be your friend
It's time to stop thinking of compliance as a burden and start thinking of it as a security referee.
Compliance is the process of meeting legal, regulatory, and other requirements. It's also the process by which organizations demonstrate that they are meeting their goals by ensuring that they have implemented policies and procedures—including cybersecurity measures—that are appropriate for their business activities. That might seem like an annoyance when an auditor comes calling, but when you look at all the benefits that compliance brings to your organization, you'll see how valuable it can be.
Policies and procedures need to be followed
Policies and procedures are the rules of the game. They tell you what to do when you don’t know what to do. They help you make decisions and form a basis for good governance.
Compliance is security referee—it ensures that everyone follows these rules, which means that everyone has a level playing field and no one has an unfair advantage over another person or team.
Governance comes from the top
As a security professional, you are the chief enforcer of compliance throughout the organization. You make sure that everyone follows policies and procedures in order to ensure that they have adequate knowledge on how to prevent and respond to threats.
But what happens when leadership doesn’t support your vision for a more secure business? Or when senior managers don’t agree with the steps you've taken? How do you get them on board with your efforts if they're unwilling or incapable of supporting them?
Compliance is not just an annoyance to deal with when an auditor comes calling.
Compliance is not just an annoyance to deal with when an auditor comes calling. It's a way to make sure you're doing things right, the same way as everyone else and the right way.
Let's say you have 1,000 servers and need to patch them all with some new software. You could do it manually or set up a batch script that does it for you automatically every day at 3:00 p.m., but then what happens if your network goes down at 2:40 because someone accidentally tripped over one of those cables? If your servers were patched, they'd be ready for whatever comes next—but if they weren't, then their inability to respond quickly could lead to bigger problems later on.
I hope this has helped you understand how compliance can be your friend. The key is to make sure that you have the right policies and procedures in place, and that they are followed. If you do, it's a lot easier to deal with any incident that comes up than if there's no way of knowing how something should be done or what the impact will be on other systems.