Why Infosec Compliance Governance Should Be a Top Priority for CISOs

This is a guest post authored by Dr.Kenneth Cooper, CTO and Co-founder of Datapoint Solutions Consulting.

The job of a CISO can encompass a lot of competing priorities and require a delicate balancing act. But there is one area that commonly doesn’t get the attention it deserves: infosec compliance governance. This area of a CISO’s responsibilities deserves more attention than many give it, and it often encompasses more than some CISOs realize.

Why do we need to emphasize focusing on one area of our Cybersecurity than another area? It is mostly a matter of prioritization. We, as CISOs, know all about prioritization efforts and prioritize tasks that have a big impact on the business’s needs and cybersecurity areas that are most critical to our organization’s success. Ultimately, how well we manage the task of creating an efficient cybersecurity program is directly related to our organization’s success. Typically, these common factors are well known and understood within most organizations. What is not always well known is the need to focus on infosec compliance governance as a top priority and the benefits of doing so. 

Making the Case for a Focus on Compliance

If you are setting your priorities based on what is going to result in a high return on security budget spending, compliance may not be the first thing you think of. Considering your priorities this way will undoubtedly lead to the conclusion that Infosec Compliance Governance viewed against direct impact correlation is rarely matched, especially if you look at the per-occurrence rate for information and data loss due to unauthorized access or an information systems breach.  But monetary ROI is not the lense CISOs should view their priorities through.

When you instead consider what will have the biggest impact on your organization and what will ultimately help you create the most secure environment you can, it is easier to see why a focus on compliance is so critical. More specifically, the infosec compliance governance within our cybersecurity programs that we develop for our organization deserves a lot of our time and energy. Many areas are given high consideration for prioritization, but often, compliance can be overlooked and not treated as the top-five priority that it is. 

How a Focus on Compliance Impacts the Rest of a CISO’s Responsibilities

Fortunately for busy CISOs, many of our responsibilities benefit from a focus on infosec compliance. For example, access control and identity management may take precedence in many CISOs minds as more people are beginning to work from home during the COVID-19 pandemic. And while these items are definitely important focus areas for a CISO, successful access control and identity management is typically part of a  well-planned and well-developed compliance program. After all, the ultimate goal is to protect our organization’s information, right?

Infosec and compliance are oftentimes closely related. If we take the process validation and framework implementation of compliance and pair that with the concepts and guidelines of protecting and securing our organizational information, we get infosec compliance. 

To direct that Infosec Compliance, we need to understand how we do it and the best way to ensure it within our Organization’s Cybersecurity program. We typically define those methods through well developed and well thought out policies; policies that are very detailed and descriptive in nature. If we take the policy concept and apply it to Infosec Compliance, we essentially get the idea of Infosec Compliance Governance.

Ultimately, we must manage our organization’s sensitive information with well developed defined protection mechanisms, which a focus on compliance provides a sturdy framework for. 

What Does a Focus on Compliance Look Like?

The essential parts of an infosec program involves identifying and certifying the systems within our organization that process, store, and transport the different types of data we store and have access to. Then, the appropriate security controls can be developed for these systems that meet  regulatory compliance requirements. Focusing on compliance simply gives a CISO a true north and a way to better organize infosec efforts.

While compliance implementation remains consistent throughout a system’s lifecycle, the regulations or even the guidelines that govern data can change at a more inconsistent rate. For instance, cybersecurity requirements and their governing controls can change their guidance more or less often depending on the issuing body (e.g., NIST, ISO, etc.).

CISOs must have a full understanding of the various types of data that an organization has access to and delivers to employees or customers. There needs to be very deliberate and stringent control over these classifying and tracking systems, their data storage and processing classification needs, and the specific requirement variations between different data’s sensitivity levels. InfoSec defines the methodology for implementing data and information protection. 

Compliance creates the ability to map systems to a framework for regulatory certification. Governance allows a defined, repeatable process for assuring asset tracking, data tracking, and compliance matching for infosec needs within an organization.

When we consider all that goes into infosec compliance governance, we have to remember that as CISOs, we are ultimately responsible for the success or failure of this program. As such, we have to know what policy is needed, how often must we update the policy, and how we disseminate changes and updates to meet certification and attestation timeframes for our systems. Essential to this development is the level and degree of our understanding of our organization’s business strategy as a whole. If we don’t understand that, we can’t understand how to apply the policies appropriately, decide on the correct compliance frameworks, and, more importantly, figure out what specific cybersecurity controls must be in place for the information we must ultimately protect. We know why these things are all critical. However, we should describe it purposefully.

We relate all these things, understanding the business strategy and applying it to our Infosec Compliance Governance, for one Key reason: Risk Management. 

The Importance of Risk Management

Cybersecurity at a fundamental level is about the management of security risk. When applied appropriately, some simple things are derived from a focus on infosec compliance governance within our organization: We are able to map our compliance framework directly to the systems being used to process, store, and transport our organization’s information. Protection of that information requires us to define the right data classifications and the specific control requirements per infosec guidance. We need to develop and provide clear policy guidance directing how implementation and management will occur to protect the systems and their information. Finally, we need to know what the impact of a loss, a breach, or an unauthorized disclosure of the information is. 

So what is the security risk if we don’t apply appropriate and deliberate infosec compliance governance?  We run the risk of failing to create risk management and infosec security processes that are deliberate, specific, repeatable, and well understood by everyone who interacts with sensitive information.  We fail those responsible for implementation, certification, validation, and attestation of our protection levels for our organization’s information based on its risk tolerance.

How do we remediate weaknesses in Compliance requirements for Infosec? That can only be done when we truly understand the risks, their impact on the business, and how security fits into our organization’s overall business strategy. We can also use that overall business strategy to directly shape and support the infosec compliance governance choices for our cybersecurity program as a whole. How and what you prioritize directly impacts your success or failure. Infosec objectives need deliberate order of action to ensure the impacts on your program are clearly understood and recognized. 

Why it’s Important for CISOs to Push a Compliance Focus

CISOs must develop and drive cybersecurity practices from the top down. They hold the ultimate responsibility to ensure an overarching, comprehensive security strategy. Unfortunately, not every organization is willing to adopt a CISO’s strategies that require a large investment of time or money. To overcome this, CISO’s must prioritize those programs that have the most significant impact and will directly reflect favorable investment returns for their organization. 

The CISO mandate is not protecting information at all costs, but protecting information with the resources they’re given. These budget-related costs are usually driven by company executives and the Board of Directors. 

The CISO’s security implementation strategy and guidance input within any organization can account for nearly 90% of the organization’s overall business strategy. If we consider and understand what processes and programs can have the greatest impact throughout the organization, it would not be a stretch to list infosec compliance governance as one of the top five programs necessary to meet that need.

Few cybersecurity programs touch more systems or have a bigger impact on the business and security strategies than your infosec compliance governance program. Few have such a significant direct correlation to identifying and understanding the risk facing your information systems and the data they house, process, and transport. Remember that three significant functions are combined to develop the Infosec Compliance governance program: First, compliance directly informs risk. Second, governance directly dictates policy writing. Third, infosec is, by definition, the key to security. 

We mentioned at the top of this article that the CISOs ultimate job is to ensure the protection of an organization’s internal data, customer data, and any other sensitive information deemed critical to the organization. What better way to meet that core job function than by prioritizing the development and implementation of an infosec compliance governance program? 

One could make several arguments for where the program should fall on the overall list of required security strategy, implementation, and development initiatives. However, I would challenge those arguing a lower priority to provide a reasonable argument for it not falling in the top five of your top 10 priorities on a CISO’s list of cybersecurity programs. I will even go one step further and say, if you personally view it as a lower priority, take a closer look at the programs ranked above it and determine whether those programs could fall under the overarching arms of infosec compliance governance; you might be surprised at what you find.

About Author

Dr. Kenneth Cooper is the CTO and Co-founder of Datapoint Solutions Consulting, a veteran minority owned company focused on helping organizations meet their information technology, cyber security and compliance goals. Dr. Cooper has designed and implemented networking and data protection solutions, performed risk assessments and created architectural design solutions for many State and Federal Government communications and networking systems. He’s also designed and implemented policy guidance, Governance, and Infosystems protection and management for Enterprise companies, SMB companies, DoD, and State & City Governments.