All Articles Technology Cybersecurity pros: Are you in compliance?

Cybersecurity pros: Are you in compliance?

How do you measure your success when it comes to compliance.

4 min read

Technology

Are you in compliance?

Urpong/Getty Images

One area that can keep IT professionals up at night is compliance. Questions to consider: Are your systems up to the challenge? How should your company approach compliance management? Can AI help or hinder your efforts?

The answers to these questions and more were explored in the recent webinar, “Are you in compliance?” The event featured Terra Cooke, security engineer at Lacework, and Dom Wells, alliances manager at DNSFilter.

Cooke kicked off the webinar reminding us that “Good compliance is not good security,” but noted, “Good compliance can help enforce good security.” Cooke said compliance work is about getting a pulse check on what is working and what is not in your security framework. Wells reiterated that compliance tools give businesses an easy-to-follow roadmap and “a way for them to understand their own security posture and internal practices to see where there might be some gaps.”

When it comes to beefing up a company’s compliance efforts some hurdles that likely need to be cleared are having needed available resources and getting buy-in from leadership and employees. Sometimes it is tough to get company buy-in to support compliance because it can be costly. Wells pointed out though that “some of the costly upfront costs may actually save you if you actually do get hacked,” adding, “it is like an insurance policy, it helps you sleep.”

There are several components that are needed to help support the build out of an effective compliance framework. The four key focus areas for a business should be: people, processes, technologies and data. “Compliance is very much a human aspect of security because it touches the entirety of the business,” Cooke said. Wells emphasized the importance of documenting everything for traceability, monitoring for changes in vulnerabilities, identifying points of risk and emphasizing training.

Hacking is a whole business and is forever changing. One of the hurdles Cooke’s sees is overcoming the shame culture that is present in the overall security culture. Companies need to reframe the narrative around security and bolster the idea and importance of compliance, through such things as a security champions program. “Companies need to do a better job in of brining security into performance evaluations so employees understand its importance,” Cooke said. It can be a non-financial company incentive for employees to make security and compliance part of their mindset.

A good compliance framework consists of stages, which all take time and education.
Logs, identity and access management, right appropriate users are access things they need to see or work on, good email web security, and a solid cyber stack in line with your compliance goals.

AI and compliance

Where does AI fit into compliance? There is no silver bullet that keeps you 100% protected. DNSFilter does use AI and large language models and AI can help make your life easier when it comes to compliance. “One thing AI is really good at protecting specific things,” said Wells. AI used to just look at past behaviors but now is looking at behavior processes. “AI can do a good job of just protecting us, but don’t lean on it to do the hard work for you,” said Wells, “Adding for compliance specifically, it is going to take a lot of humans to achieve good compliance and good security.”

Cooke said she expects one of the biggest areas she sees AI having an impact is on risk. “We now have so much more data for AI to plow through and ultimately provide more bad ‘stuff’ for us to review.” The tech can help delineate vendor questionnaires, for example, when a company is looking to pick a new vendor by providing quantitative data as a basis to decide which vendors to reach out to initially.

Key takeaways

  • Build a culture of compliance from within.
  • Find resources to continually education yourself.
  • Have a good compliance story to tell.
  • Be able to explain the explain the “why” behind your efforts.

Conclusion

It boils down to all cybersecurity professionals need to be current about compliance, or at least be working toward getting into compliance. Of course, IT pros need buy in from all aspects of the company, from the C-suite down to every employee. It is important to remember, compliance is not just about checking the boxes, it is about if you are out of compliance, what you are going to do to improve it. “It is a process and a journey,” Cooke concludes.

Recent related stories: