Complying With Modern-Day Cybersecurity Governance

From a regulatory perspective, organisations have a number of standards to consider for cybersecurity. But what does that mean? What are cybersecurity compliance standards? Cybersecurity compliance standards, unlike other industry standards, have developed over time with different levels of detail, requirements, and goals to judge or assess the same areas. These include Payment Card Industry Data Security Standard (PCI-DSS) which is a global standard and an obligation for merchants accepting payment cards, and, in the financial industry in Australia, Australian Prudential Regulatory Authority’s (APRA), Prudential Standard CPS 234 – Information Security which is an obligation for organisations licensed by APRA, or in the United States the National Institute of Standards (NIST) Cybersecurity Framework which is not an obligation but voluntary guidance. Each of these standards will have requirements for technical or configuration change management, but each will demand differing requirements to demonstrate compliance to the standard. Complying with and documenting that compliance with standards is not a capability that IT or cybersecurity has built into business as usual (BAU) operations. This is the first point of change that a CIO needs to draw on peer resources in Audit, Risk, Legal and Compliance to develop a technical and cyber risk team and a methodology for approaching cyber risk assessments and analysis.

Assessments and analysis are the cornerstones of a compliance program. As there is not one cybersecurity compliance standard to “rule them all”, there can be, for even a smaller multi-national, several compliance standards that all demand a differing level of requirement to document and demonstrate compliance. This is where developing capabilities in IT and cybersecurity for quantitative risk assessment and analysis is essential.

Tools such as the FAIR model can help where cyber risk is derived as a quantitative measure in dollars of the probable frequency and probable magnitude of a future loss. This quant-based derivation will make sense to the board and the CIO’s peers in risk management, finance, and even portfolio risk. From a tool’s perspective, organisations are currently all over the map. Some organisations have a GRC system but have not used that tool for cybersecurity compliance, and now they are trying to re-fit that tool to document cybersecurity compliance. But there can be a hefty price-tag for this work. Unless one understands what the goal is, they may spend that money more than once putting in and refitting a GRC solution.

For instance, one organisation uses more than 50 spreadsheets for PCI-DSS for multiple entities, and they have two GRC systems and are struggling with reporting cybersecurity compliance. From a tool’s perspective, one should start with a solid understanding from their legal department of exactly what standards need to be complied with and by when. Once that understanding is validated, they need a solid mapping of standards such that duplication and gaps may be determined. There are a number of good free mappings that can be found at Center for Internet Security (CIS), the Payment Card Industry PCI, the Cloud Security Alliance (CSA), NIST, and there are of course non-free mappings.

Initially, it will be messy, unfamiliar, and seem incorrect and incomplete, but once done in a sustainable and methodological approach, it will improve quickly. Yes, assessments are not a “one-and-done” effort but should be a sustainable process. The CIO does need to lead the way. Without their support, the effort will be doomed, and the organisation will continue to miss the mark in both reporting on the holistic security posture of the organisation and on how the organisation complies with its obligations.

Cybersecurity compliance and improved reporting are attainable. With deliberate commitment to measuring compliance comes the ability to reduce risks and demonstrate the need for increased resources.