In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the type of answers teams should be providing.
This week we tackle a tough question:
Are we compliant?
For the purposes of this blog, I am going to speak only of cybersecurity/privacy regulations. I am already assuming that you, as the CEO of the organization, are aware of the applicable cybersecurity regulations for your industry. (If you aren’t, I would call outside legal counsel immediately.)
All joking aside, in regards to cybersecurity, being compliant with an applicable regulation (i.e. PCI, HIPAA, GDPR ) does not necessarily mean being “secure.” However, it is a great measure of overall maturity for your organization and the functions that support compliance.
Think of compliance as the price of doing business. Compliance with applicable regulations, when done correctly, can benefit security. Being compliant means having appropriate controls in place (per regulation) that can be audited to an external, third party’s satisfaction. It should also establish metrics for the compliance controls. Internal and external resources are responsible for ensuring compliance and security controls exist and are managed. The frequency of these audits vary but a second set of eyes on controls never hurts. While this does not equal being secure, it can benefit the security of your organization when the two functions work together and strategically.
Remender, as the CEO you are creating the culture in your organization. A culture of compliance will ensure your organization is able to avoid fines and, in some cases, continue to do business. Compliance efforts benefit your overall security program. My biggest piece of advice for CEOs as it relates to compliance and security is to ensure the two functions work together strategically. When the two programs are managed as two fiefdoms that don’t often interact, the relationship can become strained or, in the worst cases, adversarial.
One of my best friends in the industry is a rock star at compliance. When we worked together, making sure we were strategically aligned allowed for both our groups accomplish their mission and ensured that resources and projects were done in an order that benefited both functions. This partnership gave us the unique ability to walk into a room together and represent managing risk as one. In the end, both of us didn’t have to be in the room to ensure that both compliance and security were represented in strategic discussions. Build synergy among these functions and you should be in the right spot.
Asking this question should lead to other discussions such as budgets, resourcing, and appropriate strategic efforts. Remember. compliance, much like cybersecurity, should be seen as a strategic corporate enabler and managed appropriately.
In some organizations there can be a negative association with compliance in regards to cybersecurity. The failure of some organizations is to stop at “checking the checkbox” or doing the bare minimum required to satisfy an external third party. As we have previously discussed, attackers move faster than legislative or regulatory bodies ever can.
When it comes to compliance, stopping at the bare minimum may result in passing audits but it may also mean getting breached. It is important to be compliant but it’s more important is to establish a program that manages both compliance and cybersecurity concurrently. This approach will help save time money and resources.