The three questions all CISOs should be prepared to answer (Part Two)

By Michael Lines on January, 23 2017

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Michael Lines

ML CISO Blog 2b.jpgIn part one of this series, we discussed the first of the three questions all CISOs should be prepared to respond to when discussing security with their board or company leadership, "Are we secure?" In this article we will discuss the second question:

Are we compliant?
Compliant to what you might ask? Well to start, compliant to your own information security policies! The information security program you have put in place to address the question, "Are we secure?", should be articulated in a formal policy document for your company. That policy should specify what controls and measures must be in place across the company in order to protect your company's and client's information.

However, having a policy, and ensuring that that policy is followed, are two different things. It is relatively easy to come up with a comprehensive information security policy tailored to your business - the challenge comes in getting all the employees and business units of the company to follow it consistently. This is where an ongoing information security assurance program is vital. Whether it is your company's internal audit function, a separate team within your security organization, or a 3rd party security consultant (or even better, some combination of all three), it is vital that there be continuous monitoring of your security program to ensure your company's compliance to its own information security policy.

In my experience as a CISO, what gets audited gets done, and what doesn't, doesn't. The internal pressures most companies have make it all too easy to respond to competing interests - whether from clients, product development, or operations - and put off compliance with some aspect of the security policy. What starts as a one-time exception can all too easily morph into the defacto policy without the pressure of audits down the road to enforce compliance.

But compliance to your own policy is not enough, you also need to be compliant to the laws and regulations in the industry and locations that you operate. This can span security/privacy regulations ranging from Sarbanes Oxley, to PCI DSS, to HIPAA, to European Data Privacy regulations, to countless others. For listed companies with international operations, the breadth of regulations that you can be subject to and the impact that they can have on your operations can be staggering. Understanding what data you maintain, where it is hosted, and who has access to it is step one in building the map you will need to maintain this aspect of your compliance program. And of course, once you have the understanding of what additional obligations you may have based on these laws and regulations, you will need to tailor your information security program and policies to add any additional measures and controls required by them.

Finally, you will need to ensure your ongoing compliance to the obligations you have agreed with your clients. Clients across industries, but especially those who themselves are subject to stringent oversight by regulators such as financial services firms, are increasingly demanding stricter security measures be enforced by their vendors. When you are one of those vendors, you need to make sure that your security team is involved in the negotiation of your client contracts so that the client requirements can be understood, negotiated as necessary, and documented so that they can be met. And yet again, where necessary, the information security policy may need to be adjusted to deliver against these negotiated additional controls. Need I mention that you as a customer also need to ensure the same for your vendors who are handling or have access to your sensitive information or business processes?

So as you can see, the simple question, "Are we compliant?", has many dimensions that need to be understood and verified before any confident statement can be made to your leadership.

Finally, the remaining question you will need to be prepared to address is “Are we ready?” I will discuss this in the third part of this series.

 

Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here

 

This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.

Submit a Comment

Get latest articles directly in your inbox, stay up to date