Applying a Risk-Based Approach to Cybersecurity Compliance
Posted by HYAS | December 23 2021
Identifying your biggest cybersecurity risks is a great place to start addressing your compliance obligations.
Cybersecurity compliance requirements are always changing, and given the pace with which threats evolve and change, that’s certainly a good thing. However, the best method to address these requirements is not always made obvious by the body issuing them. That’s why taking a risk-based approach to compliance is so useful; it lets you identify the areas of your current security strategy that expose your company to the greatest losses.
Before we venture further, it would be useful to lay out a common definition of cyber risk. The National Institute of Standards and Technology (NIST) describes it as:
“Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.”
In other words:
Risk is the summation of the severity of the threat, your vulnerability, the likelihood of that vulnerability being exploited, and the potential impact of that exploitation.
Whether you are obligated to meet controls for HITRUST or PCI, CMMC or FedRamp, or any of the various privacy laws (GDPR, CCPA, PIPEDA, etc.)—all incorporate some form of risk monitoring, identification, and tracking. However, the majority of compliance frameworks do not explain specifically what risk is or how to quantify it. For example, HITRUST CSF Requirement Statement:
“Risk assessments include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems.”
It’s not exactly the pinnacle of precise language. For instance, what exactly are these “multiple factors?” How are they judged by the auditor? What falls under an auditor’s purview, and how do they determine what passes for a risk assessment and what is deficient? These are just a few of the questions organizations should consider when looking to achieve or maintain a compliance certification or attestation. Add to this the potential complexity and cost and many organizations are left wondering, “what is compliance actually achieving for my business?” Perhaps a different approach, a risk-based approach, would not only answer this question but also position the organization to not only be compliant but also have a better cyber posture (which, by its nature, reduces risk).
What does this mean to the typical enterprise? The first thing to consider is whether or not meeting compliance is mandatory for your business to continue serving its current markets or even expanding into new ones. If it is, what’s next? Most enterprises approach their compliance requirements through a lens of “controls.” For instance, when attempting to reach compliance under HITRUST’s roughly 285 controls, many organizations take a linear approach to addressing each control and/or control deficiency. This can be a very time consuming and costly approach to gaining and maintaining compliance for a single compliance framework. So what should organizations do when looking at their compliance requirements? Take a risk-based approach.
Over the past few years, we have seen more and more enterprises moving away from a “controls-based approach” to a “risk-based approach.” These organizations are addressing their various compliance requirements by enhancing (or in some cases developing) a Risk Management program. Given this, organizations can harmonize their approach to managing cyber risk with their compliance requirements. This is the case for a few simple reasons. Most of the controls included in any compliance framework are based on preferred or best practices. For example, NIST 800-171 has a number of logging and monitoring requirements that generally overlap with FedRAMP, HIPAA, etc.
Furthermore, any organization that takes monitoring into account as part of its overall Risk Management strategy is likely compliant with the majority of control requirements dictated by each compliance framework. An organization that takes a risk-management approach to logging and monitoring its environment is already satisfying control requirements, potentially even before that organization has a compliance requirement. This example can be extended across several domains: vulnerability management, incident response, data protection, etc.
Ready to learn more about reducing enterprise cyber risk, improving cyber posture, and enabling a faster path towards your compliance initiative? Download our white paper!
