Since 2011, BlueAlly has been helping companies build scalable, secure, and efficient security programs and infrastructure. In that span of time, we have seen a lot of security programs and have worked with companies of all sizes and types to effectively address their various security and compliance challenges. From the small two-person startup that has grown to thousands of employees and subsequently IPO-ed, to large biotech companies that have embarked and since then completed infrastructure transformation from on-premise data centers to hybrid cloud–we have seen a lot of security programs at different stages of maturity and have helped many companies complete their objectives.
The truth is that companies today face a much more challenging security and compliance environment than in the past. In the 90s, building secure infrastructure and security programs was something that was done only by the largest companies. For smaller companies, security and compliance requirements were relevant insofar as it made business sense to apply best practices. It was not so much that organizations thought security was not important, rather most companies were focused on developing products and making them available.
A Brief History of Compliance
Prior to the year 2000, compliance was largely the domain of companies working with governments and companies dealing with regulatory and legal requirements. Security and compliance standards existed with NIST and SAS 70. Companies leveraged these as best practices, and compliance was applicable to those who worked with large organizations requiring these practices. There was no forcing function for the majority to be compliant.
In the 2000s, we saw the seeds of mainstream compliance being planted. In 2004, PCI stepped onto the scene with PCI v1.0 to mandate requirements for companies that process, transmit, store, or accept cardholder data. SAS 70 from the AICPA was used to demonstrate control objectives and validate control activities. First published in October 2005, ISO 27001 was later revised in October 2013 to better accommodate the changing information security challenges. Back then, the requirement to be ISO 27001 compliant mostly applied to companies in Europe or those working with European customers.
The 2010s were a Renaissance period for compliance. Alongside the rise of cloud services and globalization, we saw rapid maturity and adoption of compliance standards. In 2010, the AICPA introduced SOC 2 and Service Organization Controls to replace SAS 70. ISO 27001 became more relevant as companies continued to market their services all over the world, especially in Europe. We also saw the rise of privacy compliance due to the invalidation of the US-EU Safe Harbor and eventually the requirements for the GDPR in 2018.
Fast forward to the 2020s and we see that security and compliance have gone fully mainstream. Today, due in part to the proliferation of cloud services and rising maturity in risk management, companies regularly come under the scrutiny of customers for security requirements and are held accountable to a swath of different frameworks, including, but not limited to these:
- SOC 2
- ISO 27001
- ISO 27017
- ISO 27018
- PCI
- HIPAA
- HITRUST
- FedRAMP
- StateRAMP
- CMMC
- NIST 800-53
- NIST 800-171
- GDPR
- CCPA
- APEC
- NYDFS
As more companies pursued the compliance requirements above, their third parties and vendors were also required to maintain similar processes. This cycle had a positive effect in requiring security compliance to become more mainstream, but also made it a challenge for companies of all sizes to implement and maintain.
Key Compliance Challenges Today
Among the many security and compliance challenges companies face today, these are the ones we see over and over again.
- More security and compliance requirements. Keeping up with more security and compliance requirements as the company grows.
- Privacy requirements. Keeping up with privacy regulations and their intersection with security and compliance.
- Decentralizing security. Making security a part of every individual and department instead of being owned and enforced centrally.
- Customer security requests and audits. As companies acquire more and larger customers, they are subject to new and more difficult security questions and are often required to support customer audits.
- Changing and increasing compliance scope. Managing compliance evidence and requirements in the face of changes or increases in scope and environment(s).
- Complexity in managing cloud risks. Complexity in managing risks on a technology stack that uses multiple cloud service providers and where there is shared responsibility to protect data.
- Effective incident response. The challenge of implementing and managing effective incident response processes.
- Security monitoring in the cloud. Adequate and reliable security monitoring of data and infrastructure in the cloud.
- Effective vulnerability management. Managing vulnerabilities across cloud providers and the technology stack.
- Security staff turnover. Employee turnover in security and compliance, resulting in the loss of valuable domain knowledge.
- Shortage of security and compliance staff. Shortage of resources to keep up with the increase in demand.
No Silver Bullet for Compliance
How do companies address these security and compliance challenges?
While there is no silver bullet, companies can opt to leverage baseline approaches that have worked in the past, as well as take advantage of improved tools, technology, automation, and experienced resources that are available today to address these challenges. One downside to approaches that have worked in the past is that they tend to be manual and require constant maintenance to keep up to date.
The following are key areas to systemize in order to adequately address these challenges:
- Controls, policies, and procedures management
- Audit management
- Vulnerability management
- Risk management
- Vendor risk management
- Customer response management
- Incident management
- Privacy management
Although we wish we could answer with a single product or service, compliance still requires companies to continually assess how to manage their people, processes, and technology to mitigate their risks. Companies must focus limited resources against the ever-growing landscape of threats and regulatory requirements.
Better Ways to Systemizing Compliance
Here is a summary of these key areas and the baseline ways we have seen companies attempt to systemize addressing them. We also provide some recommendations on a better approach.
Key Areas to Systemize | Baseline | Better |
Control, Policies, and Procedures Management | · Build and maintain a common control spreadsheet and map controls to applicable compliance · Review and update policies on a regular basis in a content management platform or internal site that allows version tracking · Standardize security policies and procedures in a location accessible by all in the organization
| · Evaluate and select an effective GRC tool to manage security controls, policies and procedures. Leverage the tool to establish a common control database · Use a GRC tool that includes mapping to the compliance framework(s) |
Audit Management | · Build control narratives document supporting how controls are met so they can be used in subsequent years · Organize evidence used to support each audit in the folder · Leverage control narratives and well-organized evidence tracked to meet subsequent year’s compliance requirements
| · Use an effective GRC tool to manage compliance and customer audits · GRC tool can be used to manage and disseminate audit narratives and audit procedures to control owners |
Vulnerability Management | · Maintain a common repository for vulnerabilities in the primary vulnerability management tool and/or spreadsheet · Leverage capable vulnerability scanning tools to perform regular scans of the networks · Conduct regular penetration testing with a skilled and reputable testing vendor or resource
| · Conduct more regular penetration tests on a continuous basis as the environment changes · Use a modern vulnerability management tool that has intelligence on cloud provider vulnerabilities · Integrate with cloud providers to gain a more clear and accurate picture of vulnerabilities · Leverage vendors that can provide penetration testing as a service and are able to deliver results as they find them · Remediate vulnerabilities quickly in a time frame commensurate with their risk level and threats · Leverage vendors that can feed vulnerabilities and penetration test findings into a GRC tool to view and action in context of the overall risk to the organization |
Risk Management | · Create a standard risk register · Conduct risk assessments at least on an annual basis · Update the spreadsheet · Review and follow up on risks with risk owners | · Combine a GRC tool with an effective risk management tool · Conduct risk assessment on a continuous basis · Train the organization to input new risks into the risk tool as they arise · Review and address risks on a regular basis (e.g. weekly, monthly, quarterly, etc) · Integrate GRC tool with key systems to periodically gather risk data from customer systems |
Vendor Risk Management | · Send vendors a standard organizational risk assessment questionnaire · Analyze the response for key risks · Follow up on questions · Request vendors to address risks as suggested by the vendor risk process | · Combine a GRC tool with an effective vendor risk management tool and integrate with the overall Risk Management process · Send vendors the risk questionnaire using the GRC web tool · Leverage GRC tool to review and approve vendors before onboarding · Establish consistent vendor onboarding/offboarding · Conduct periodic reviews to assess risk |
Customer Response Management | · Create a standard customer response register in a spreadsheet · Respond to customer questionnaires | · Use a GRC tool to transfer responses from previous customer questionnaires to new questionnaires
|
Privacy Management | · Review and update privacy policies on a regular basis in a content management platform or internal site that allows version tracking · Standardize privacy policies and procedures in a location accessible by all in the organization | · Leverage a privacy management tool to track privacy controls and how they map to target regulations such as GDPR, CCPA, APEC, etc. · Leverage a tool to fulfill privacy requirements such as cookie compliance, data subject requests, etc
|
What’s Next?
As technology and organizations continue to evolve with risks and threats, we expect compliance to also evolve and change. To keep up with these changes, companies need to rely on fundamentals that work while leveraging tools, experienced resources, and automation to scale alongside growing scope and complexity.
As a company that has been working at the forefront in helping others build and evolve security and compliance programs with a collective 150+ years of experience, BlueAlly looks forward to helping customers adapt and meet these security and compliance challenges.