Click source: Jim Goldman
As companies grow and go after bigger opportunities, they will find that enterprise customers are concerned with a potential vendor’s information security — and the vendor’s respective security protocols.
Rather than investing the time and money to assess the security of potential vendors themselves, it is more efficient to insist that potential vendors adhere to recognized security standards such as SOC 2 and/or ISO 27001 and provide objective third-party evidence of the achievement of those certifications. The same might be said for VCs and M&As, as they are performing due diligence for companies they are considering investing in or acquiring.
Many business leaders — particularly in small and medium-sized businesses with limited resources — tend to mistakenly assume that being cybersecurity “compliant” is the same as being “secure.” In this article, I’ll examine the difference between security compliance and cybersecurity and why it is important to include both in a comprehensive cyber risk management strategy.
SOC 2 Attestation and ISO 27001 Compliance
SOC 2 attestation and ISO 27001 certification are thresholds or costs of doing business that companies must accept if they are going to sell their services to enterprise-scale companies. They represent that a company’s systems are set up to assure security, availability, processing integrity, confidentiality and privacy of customer data — particularly relevant to cloud-based SaaS (software-as-a-service).
The compliance process requires a team that can assess an organization’s current state against either the SOC 2 or ISO 27001 standards and identify any gaps in policy, process, people and/or technology. Once gaps are identified, a comprehensive plan must be developed to close those gaps in a timely manner in order to meet the certification deadline. The process can be overwhelming to small business leaders because — particularly with the ISO 27001 certification and associated audits — they require very specific controls to be implemented in a certain way, as documented by detailed evidence.
While achieving SOC 2 attestation or ISO 27001 certification is certainly important — even required — to assure customers and clients that they have data protection protocols in place, it is not the sole indicator of being cybersecure, as certifications will not mitigate the risk of a cyberattack.
Just as compliance and security are not the same thing, compliance and certification are also not the same thing. Compliance is important and can be achieved with or without certification by an objective third party. Any mature cybersecurity program should have an equally mature compliance program to be able to monitor and assure all security controls and related processes and procedures are operating as intended and being objectively measured. Evidence of compliance should be gathered, reviewed and audited even if there are no external auditing parties involved. It is the only way that we can be assured that a cybersecurity program is working as intended.
Whether you are completing your SOC 2, ISO 27001 or both, the requirements are the same for any company. But every company is different in terms of cyber maturity, the number of employees dedicated to cybersecurity and financial resources to invest.
With compliance programs, the requirements may only pertain to a subset of the business while comprehensive cybersecurity programs are implemented throughout the entire organization. One example is National Institute of Standards and Technology (NIST) requirements that only apply to federal data. These requirements will be more stringent but do not impact other more widespread areas of your business.
With that in mind, here are three integrated steps to a complete cybersecurity program:
- Understand risk.
With the SOC 2 attestation and ISO 27001 certification, the respective processes take months, and the renewals are annual. Running vulnerability risk assessment scans, on the other hand, should be on a more frequent cadence and on an ongoing basis. According to one source, organizations that scan with a steady cadence remediate flaws on average 15.5 days faster.
Types of scans include the dark web (frequent), internal and cloud environment scans (weekly) and external scans (monthly).
- Mitigate risk.
Once you understand your risk with regular vulnerability assessments, the next step is to mitigate the opportunities for cyber threats by prioritizing according to risk severity and repairing the most severe areas of vulnerability.
Most scans produce results that are referred to by their Common Vulnerabilities and Exposures (CVE) designation. As explained in Security Intelligence, “This system provides a standardized name for cataloging and managing publicly known security vulnerabilities … [using] a numerical criticality score from 1 to 10 (with 10 being the most critical) based on factors such as the type of attack, level of access required and overall complexity.”
While tools and systems help you identify your biggest threats, they need to be weighed against the risk to your particular organization — the potential for loss, damage or destruction of an asset.
Ask yourself, “What is the impact of a given vulnerability to our bottom line, our operations and our company’s reputation?” Cross reference the size of impact with the highest threats and fix those areas first.
- Transfer risk.
Understanding risk and mitigating risk are imperative for making sure your company is cybersecure and what is visible to you customers, vendors and financial stakeholders. But there will always be residual risk that you want to transfer with cyber insurance. This is the part of being cybersecure that allows you to recover financial losses from business interruption, among other types of business protections, in the event of a cyberattack.
To summarize, being compliant is important to giving your customers confidence that you are protecting their data, but it is not the same as being cybersecure. Make sure you completely understand your risk, mitigate areas of greatest risk and transfer residual risk for a comprehensive cyber risk management program.