After a security certification exercise such as ISO27001 or PCI, everything goes quiet, there are no resources available to keep compliant. As a Ciso I have had peers complain that leadership didn’t perceive that compliance frameworks like ISO, PCI, HIPAA, or NIST requires maintenance after the fact.
The challenges CISOs face with compliance have filled volumes in cybersecurity books. The problem I need to touch on and one I know many CISOs are concerned about is the enterprise pays lip service to compliance, however, in reality, they ignore it, and it has low precedence and viewed as a cost.
I even have seen this up to now a company initially is excited to get certified, and several departments are involved. Over a set period, a lot of effort and resources are expended to the compliance effort, and the company gets certified.
Reduce Cost
I have had peers say their bosses were incensed that they weren’t accomplished, that there needed to be a reduction in the cost to maintain compliance. How to deal with this issue is for you the CISO to make it clear up front that getting criticism with a certification because the continued and maintenance of will require a continuous effort from the businesses.
When I converse to boards and leadership groups, I equate it to having a child, now that the baby is born, we’re liable for it and wish to nurture it and deal with its demands – welcome to the world of compliance.
Challenges
When asked to record their prime three business challenges driving them to enhance and improve their security posture, almost 50% of CISOs who answered listed hackers or different attackers. As security methods and threats become more and more complex, CISOs are feeling under threat on multiple fronts.
At most organisations at present, company’s sensitive data and functions typically reside in several networks and areas. In fact, this suggests the second mostly reported challenge of CISOs, and that is technique. With respect to the way increasing complexity of cybersecurity impacts the CISOs capacity to meet their obligations, the number one response was an increased need for studying and growth.
As cybersecurity measures become more and more advanced, defining and reporting cybersecurity dangers to management turns into evermore daunting.
Testing your defences
In many instances, this highlights the benefit and worth of hiring in 3rd-party penetration testing company to conduct red and blue teaming testing your defences against the adversary at the same time testing your internal defences to ensure they stand up to scrutiny.
