Don't let cybersecurity frameworks scare you, you're already working towards compliance
Behind every successful technology infrastructure is a framework that has been tried, tested, and proven. In cybersecurity that framework, or the “best practices”, is used for determining risk tolerance while securing systems, networks, software, devices, and data.
Unfortunately, many cybersecurity professionals today have not been very effective at adhering to these frameworks simply because you are already stretched thin and likely working well-beyond the standard 40 hour work-week. Factor in the cost for a business to certify within a framework and then you rarely will find leadership buy-in, and let’s be honest that money is often better served elsewhere in a tight budget.
International frameworks like the Center for Internet Security (CIS) Controls, System and Organization Controls (SOC2), International Office of Standardization (ISO) 27001, Factor Analysis of Information Risk (FAIR), Internet of Things Security Compliance Framework (IoTSF), MITRE, and Country or Regional specific ones like the National Institute of Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), General Data Protection Regulation (GDPR), European Telecommunications Standards Institute (ETSI), UK’s Cyber Assessment Framework (CSF), New Zealand Protective Security Requirements (PSR), and Australian Signals Directorate (ASD) Essential 8 there is likely at least one government related framework that your business has to comply with.
Industry specific frameworks like HITRUST, Payment Card Industry Data Security (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Financial Industry Regulatory Authority (FINRA), and even states like California are deploying their own like the California Privacy Rights Act (CPRA) which replaces CCPA in 2023 guarantees that every business public and private needs to review compliance regulations.
Cyber insurance policy insurers are following suit with new multi-page questionnaires outlining what your potential risk is to determine your coverages and premium or in some cases now the denial of your coverage. After years of paying claims, insurers are looking to better protect themselves from claims which should then force businesses to improve their cybersecurity posture as well.
In my experience the most common one being obtained today is the SOC 2 which looks at security, availability, processing, integrity, confidentiality, and privacy around customer data. But if you are just getting your feet wet with compliance frameworks I would recommend start with the CIS Controls.
The bottom line, find the frameworks that impact your business and start adopting those best practices today. While there are more than 50 frameworks available the majority of them utilize the same basic principals so while you complete the ones that impact you directly you are also checking boxes off with others as well.
Don’t let all the different frameworks or their requirements scare you. Using common sense basics like ensuring patches and firmware updates are completed, all employees complete annual cybersecurity training, and that everyone doesn’t have access to everything you’re probably most of the way there.
You do however have to take the first step, do an online search for requirements to be complaint with the framework of your choice and you’ll see a number of options right off the bat giving you oftentimes free information to help you on your journey. You then have to budget for the annual expense and make this a standard part of doing business to protect your customers and your data.
If you’re not looking into these yet, the days are numbered and soon you will be forced too.
If you have questions, let’s talk.