6 Tips for Cybersecurity Compliance

1. Unite Compliance and Cybersecurity

Some years back, cybersecurity and compliance parted ways, becoming separate and disconnected disciplines. Nick Jovanovic, Chief Revenue Officer at Qmulos, says it’s time to bring them back together.

“A reunion between cybersecurity and compliance creates a convergence, mitigates risk and strengthens an organization’s cyber posture,” Jovanovic said. To marry the two, it’s important to view them as complementary functions. “Nobody loves to talk about compliance, but at the end of the day, it’s a baseline for cybersecurity.”

With thousands of systems to manage, agencies should not view compliance as a checklist, an added task on top of everything else. Instead, the various regulatory frameworks and other requirements are the bedrock on which to build strong cybersecurity, he said.

2. Know What You’re Protecting

The first step toward compliance and robust security is a thorough understanding of one’s IT landscape. It’s about “identifying the mission-critical assets that are key to your compliance and security programs, so that you know what to protect, what controls and frameworks should be applied to these assets,” said LaLisha Hurt, Public Sector Industry Advisor at Splunk.

Know what can go wrong and what the impact would be “if, for whatever reasons, these assets were compromised or inoperable,” she said. That risk-based evaluation is fundamental. “I see a lot of folks jump straight to the automation before [taking] those foundational steps,” she said.

3. Focus on Culture

In 2019, the Navy conducted a cybersecurity readiness report and concluded that compliance had taken precedence over security. “It was actually noted as a ‘culture of compliance’ and not a ‘culture of threat-based operational risk,’” said Alvin “Tony” Plater, the Department of Navy’s Acting Chief Information Security Officer.

In the Navy, as elsewhere in government, “we have to continuously evolve our culture to understand what the threat is, to be open to change,” he said.

That doesn’t mean neglecting compliance, but rather understanding it as a means to an end. “From a compliance perspective, we know what the required security controls are,” he said. What’s needed is “a culture where we are consistently validating that security is working the way it intended.”

4. Develop a Centralized Compliance Strategy

To achieve compliance, agencies need a guiding vision, a centralized compliance strategy that “integrates all of those various regulatory requirements into a single coherent system,” Hurt said.

Defense and civilian agencies will face different mandates, so to develop your approach, “the first step is figuring out which ones you need to adhere to,” she explained. “Make sure you’re clear on [them], and make sure that you are taking into consideration your critical assets.”

Once the plan is in place, an agency can begin to streamline, “implementing automated tools and platforms for compliance monitoring and reporting,” Hurt said. With modern technology, agencies can “monitor the use of their network resources, user access [and] privilege access to help them improve security while also helping them meet requirements.”

5. Assemble the Right Team

The Navy has consolidated its efforts under the Cyber Ready initiative, incorporating compliance within an overall drive to address current and emerging cyber threats. That requires a team, and sometimes looking externally for vendors to provide additional support.

“We are working very closely with the acquisition and the development community on how we ensure cybersecurity requirements from Day One,” Plater said. That’s led to practical outcomes that foster both compliance and security.

There are weekly adversarial assessments in addition to continuous monitoring. The Navy also consults with industry to achieve “real-time or near-real-time visibility into changes to controls, changes to networks,” he said. “We call that ‘maintaining currency.’”

6. Take Advantage of Compliance Automation

Humans simply cannot keep pace with the controls needed to ensure compliance. “The era of manual and subjective data calls, plagued by significant visibility gaps that result in weakened security and heightened vulnerability, is over,” said Jovanovic.

“When it comes to meeting cyber mandates, technologies like Qmulos’s Q-Compliance can automate the process and help you achieve confidence in your compliance program,” he said.

Automation can help agencies attain “real-time continuous monitoring and risk visibility across the board,” which translates to true operational awareness and cost savings, Jovanovic added. By spending less time and effort on compliance, agencies can devote more resources to the mission and ensure robust cybersecurity across critical systems and data stores.