Companies that have begun a digital transformation from point-in-time compliance assessments to real-time management are already realizing benefits. Coalfire’s Adam Shnider discusses the need to transition from old approaches to new ones.
The growing burden of compliance costs is becoming unsustainable, and it will create even more problems if we don’t abandon old traditions and replace them with modern approaches.
In partnership with global analyst firm Omdia, my company, Coalfire, recently conducted a study of 100 prominent IT and security executives from around the world highlighting the most significant trends in the increasingly complex world of compliance. The changes are dramatic, and the results are alarming:
- More than 90 percent of those surveyed are spending at least one-quarter of their IT security budgets on compliance.
- More than half view compliance and its associated costs as major business burdens and barriers to new market entry.
- The resource load, just to maintain basic compliance for larger organizations, can exceed five full-time resources for each regulatory obligation.
- There are new realities – expect the unexpected – and a much clearer understanding that security and risk management must evolve with today’s growing compliance obligations.
As corporate cyber programs catch up to these new realities and as businesses continue to push critical workloads to multi-cloud environments, the rapid onslaught of new regulations and pandemic-driven protocols are challenging the compliance and assessment status quo. New requirements can become obsolete as fast as they are released, and they often fail to address the risks for which they were intended and support the technology, products or services being assessed. This leaves the burden of interpreting compliance requirements on organizations and their assessors, making it difficult to determine the best path forward.
Whether the assessment framework is NIST 800-53, PCI DSS, ISO 27001 or any of the dozens of others, it is critical to understand the process in which each framework is defined and to understand its role in providing the guardrails that validate the controls for the intended purpose set out by the oversight body. For example, FedRAMP uses NIST 800-53 and defines which controls need to be tested based on the “impact level” that must be achieved to ensure cloud service providers offer the appropriate security controls for federal agencies. FedRAMP also provides overlays and guidance to help define scope and reporting mechanisms and a few additional requirements to achieve compliance.
Framework management has become a more complex issue, as most compliance frameworks generally have a feedback, draft, update, review, comment period, release and adoption cycle. This process will take an average of four years from start to adoption, and many extend much longer.
With that understanding, can you imagine writing a framework today that is expected to be applicable to the technology that will be used in four years? We all know that is nearly impossible, so it is therefore up to the organizations developing these innovations and their assessors to determine the best methods to apply controls to new technology.
Assessor Judgment Above Complacency
As the world around the assessment changes rapidly, many assessors and consultants continue applying old methods and techniques, regardless of monumental changes in the technology around them. On top of already skyrocketing security and risk management demands, this complacency is an industry-wide problem that’s leaving organizations under a deeper burden: More time and resources are expended in compliance assessments that may only be looking to check a box that may no longer be relevant to the current technology or to the changing size and scale of the environment.
For example, in a dynamic cloud environment that has 50 servers deployed through Infrastructure-as-Code (IaC), the AICPA sampling guidance for an SOC report suggests taking five to nine samples and reviewing the configuration for relevant controls. Seems pretty simple, but when you scale that to 500 servers or even thousands for larger enterprises, AICPA defines a high degree of assurance with 60 samples. To calculate the impact, multiply that by the number of workloads you are running in the cloud – and remember, these are dynamic, so they spin up and shut down as capacity is required and populations change.
Assessors have typically taken a snapshot in time to define the population, pull their samples, perform the review and identify exceptions or move on to the next step of the assessment. While traditionally acceptable, this has become less efficient in sampling and identifying risks to the intent of the controls being tested today and in having to spin up new workstreams to avoid that dreaded negative outcome of not being considered “compliant.” This is where the assessor’s experience and judgment come in to guide the right resourcing decisions.
Digital Transformation: Compliance on Demand
Automated and on-demand compliance programs that leverage cloud technologies and look back at the system design, configuration and management to provide continuous assurance are replacing the point-in-time check-box mentality of the past. It’s the new way to think about compliance and achieve alignment between security programs and business needs.
This transformation requires re-tooling – and often even more people with higher skills, despite our industry’s extreme labor shortage. There is a growing demand for an upgraded professional cybersecurity talent pool – experts who have the knowledge and experience to improve security, streamline and guide business outcomes on a continuum rather than through traditional, point-in-time compliance approaches.
The assessor’s required skills must be “transformed” to drive the change, understand the solutions and connect the dots of a robust security program to the compliance requirements. The outcome is the positive alignment of risk management, security, business objectives, performance management and controls discipline. We have the assessment community performing the reviews and validating compliance and the product companies developing the platforms and solutions to connect the dots between the data and what’s needed to improve security.
The panacea in the “digital transformation of compliance” is combining the assessor’s expert guidance for each requirement delivered “on demand” through a platform that captures and aligns security data with compliance outcomes.
Compliance on demand means that the business is in control of its own destiny as designed and defined by the security team attesting to the controls of the various frameworks. The best outcomes are achieved by leveraging the knowledge and experience of the assessor with technology embedded in a platform that provides ongoing visibility of both the security and compliance programs. Compliance is managed up, down and across the organization so that everyone – from engineering to HR – is involved in managing and telling the company’s security story.
The concept of compliance on demand brings an end to the old adage that compliance doesn’t always equal security, and vice versa. Instead, CoD facilitates the melding of compliance and security to finally allow consolidated, strategic CXO oversight of the organization’s more important, and more complex, cyber initiatives.
Security and Compliance: Shared Outcomes
Over the years, compliance and security have been allowed to diverge. The time has come to bring them back together. As corporate leadership prioritizes cyber, compliance will drive the policies, but security will set the tone by moving beyond merely meeting compliance requirements. Compliance, in turn, will quickly evolve and become more relevant to security initiatives.
New regulations, the move to the cloud and the pandemic’s dispersion of people and operations are accelerating digital transformation. We see the urgency with our clients – especially in financial services, health care, technology and anything e-commerce – who need to break down the borders of their own facilities to respond and scale to the dynamics of the “new normal.” CXOs are quickly gaining better understandings of cloud-based risk, and priorities are coming into clearer focus as they manage cloud assets by consolidating, streamlining and automating more of the workloads to improve performance and reduce risk.
Adjusting perspectives like this can shift the cyber resource allocation paradigm toward achieving security and business outcomes that also meet compliance requirements.
Our study showed that everything around compliance has changed, yet many organizations tend to want to continue managing compliance as they have in the past. Digital transformation requires compliance transformation to make it all work. There remains an urgent call to action: The costs of staying compliant beyond 2020 will become unsustainable for organizations that don’t begin their digital transformation of compliance, capitalize on the benefits, move into new markets and align compliance with business objectives.