Company News
Careers
About 
Success Stories 
CyberGard – 
DataGard – 
Solutions for the 
Solutions for the 
Blog Articles
Success Stories
Guides
Videos
News
Roadshows
Webinars
Nobody we’ve met in IT gets excited about compliance. In fact, if we gave you the option of a root canal or manually going through a spreadsheet to figure out if you’re compliant with a particular framework, you’d probably pick the root canal. And the subject of GRC (Governance, Risk, and Compliance)? That might put you in a coma.
However, everyone agrees that compliance is important and needs addressing at a high level, but nobody really wants to do it. Because of that mindset, most organizations either dabble in adopting or never adopt a security framework.
Some reasons behind that reluctance are:
- Feeling the task is either too daunting or too boring, especially when considering the creation of policies and procedures.
- Feeling your organization isn’t big enough to justify using a security framework.
- Realizing that nobody is asking you to address this problem, and so you don’t.
- A lack of time from fighting too many fires every day.
- A lack of resources from understaffing and/or lack of budget.
- A lack of expertise. You’re just not sure how to approach the problem, or where to begin.
Changing Your Mindset by Asking: How Secure Am I?
One thing that changes the mindsets of many IT directors is to step back and ask the question: How secure am I? And how do you feel about your overall security right now?
More specifically, how would you rate your cybersecurity posture on a scale of 1 to 10 (with 10 being amazing)? Once you pick a ranking, ask yourself: How did I arrive at that number?
Surprisingly, when we ask IT directors these questions, we usually don’t get a number as an answer. Instead:
- We get a list of products purchased and implemented such as EDR, MFA, firewalls, etc.
- We hear about a ransomware attack from five years ago from which they’re still recovering—both mentally and technically.
- We get a list of things they’d like to do in future budget cycles (like putting in a new firewall, a new MSSP solution, etc.).
- We hear about a lack of buy-in from leadership.
If we do get a number, it usually falls into three buckets:
- Approaching 10: Those who report a 10 or approaching 10 are probably very misled. It’s likely not a 10! This overconfident thinking is also a danger to these organizations.
- Approaching 0: In these cases, the situation is probably not as bad as they think, but their will is probably broken by their situation. They’re likely burned out.
- Somewhere in the middle: These organizations are probably right. However, sometimes we hear “between a 4 and a 6,” but there is a big difference between a 4 and a 6. That gives us a sense that many IT directors might need help accurately assessing their cybersecurity posture.
Acknowledging You Need Help: Where Do You Go from Here?
As the conversation evolves, we next hear the question: How can we determine where we are and where to go from here? And how can we improve our posture most effectively?
These are important questions. Typically, many IT directors believe they’re solving critical problems by investing in a new tool or solution that they think will make them more secure. However, a tool won’t solve all your problems—especially if you aren’t paying attention to basic things that need addressing in your environment.
A compliance framework can help IT directors look at their environment more holistically before drilling down into individual items. That’s why it’s important that you measure yourself against a framework.
The Pitfalls of DIY Framework Compliance
Framework compliance may be difficult to do by yourself. A compliance framework involves a set of policies, guidelines, and best practices designed to manage an organization’s information security risks. Risks is the word to focus on here.
So, how do you reconcile your operations with a specific framework? Traditionally, this has been a very manual process using a spreadsheet listing all kinds of controls where you map what you’re doing against these individual controls. It’s very complicated and overwhelming.
Let’s look at the NIST Cybersecurity Framework 2.0 as an example. Imagine fitting this into your day-to-day work:
- Learning about the framework: On NIST’s website, NIST provides a 32-page document telling you about the framework. Not how to implement it. Not a template. Not a spreadsheet. This means we’re off on the wrong track because most IT professionals don’t have this kind of time to invest in reading about the framework. If you’re going to carefully read and analyze a 32-page document, then it’s right to feel that you better make some progress toward actual compliance—and not just spending research time learning about the framework.
- “Quick Start”: The Quick Start section of the website links to six different documents, and each of those documents are double-digit page length as well. Again, not great for IT directors from an efficiency and effectiveness standpoint.
- NIST tool: NIST offers a tool that should help you, but it really doesn’t--just providing a spreadsheet that’s not any better than similar tools we’ve seen in the past.
The NIST Cybersecurity Framework is based on five functions:
- Identify
- Protect
- Detect
- Respond
- Recover
In the 2.0 framework, NIST added a Govern layer that adds complexity. Each of the functions have categories, and each category has subcategories. As a result, there is a lot of information that pulls into the framework. Below is just a brief snapshot of this complexity.
Then, the categories and subcategories have profiles.
Then, there are tiers that describe your level of completion with each particular control.
- Partial: Exists, but in an ad hoc manner.
- Risk-informed: Formal risk management plan approved, but implementation not yet organization-wide.
- Repeatable: Formally approved and implemented organization-wide.
- Adaptive: Organization able to update, evolve, and stay compliant over time.
That’s a lot of information.
At this point, we begin to question the odds of your organization fully adopting a framework. In many cases, the chance is zero. Many haven’t gotten there, and a few don’t even try. If you do have full compliance, it’s likely that you’re forced into it by some outside factor (such as a law).
However, another way that allows you to adopt a framework is when the process becomes easier. And that’s where Compliance as a Service (CaaS) comes into the picture.
How Compliance as a Service (CaaS) Makes Compliance Easier
CaaS equips your organization with the expertise and resources it needs to effectively comply with a compliance framework. That includes:
- Experts: Compliance experts analyze your compliance deficiencies and make recommendations that will resolve those deficiencies.
- Framework Identification: The identification of any specific security frameworks you’re using.
- Policies and Procedures: Creating custom policies and procedures, mapping what you’re doing from an operational standpoint to those policies, identifying your gaps, and then working together to fill the gaps gives you a holistic process when it comes to managing a risk through a cybersecurity framework.
- Roadmap: A roadmap with task optimization for framework implementation, looking at the most critical items you need to fix sooner rather than later.
- Reporting: Management reporting on your security status and improvements.
- Meetings: Weekly meetings to discuss progress, prioritize next steps, and allow you to be an accountability partner during the process. It’s easy to start down a compliance path and then, two years later, realize you haven’t made a lot of progress. Meetings help keep everyone on track.
- Platform: A platform that centrally houses all compliance information, gathers information from you in an easy way, and creates tasks.
IT directors are rightly concerned about regulatory complexity and constant changes. It’s challenging to manage a diverse and ever-changing regulatory landscape, including industry-specific and international regulations. CaaS can go a long way toward helping you address these issues.