April 2018: While some companies disparage compliance standards, others embrace them — even when they’re not required to. Cybersecurity regulations establish controls but they also do something else. They define best practices.
Here’s what’s motivating organizations to follow security frameworks that look like those of regulated businesses:
1. Now it’s about business, not just avoiding risk
Until recently, a lot of businesses considered IT security to be more about risk management and overhead than an investment to generate revenue. Now, sophisticated IT security is becoming a competitive advantage. With the increase and severity in the number of data breaches and the nonstop (and morphing) onslaught of ransomware attacks, the C-suite is prioritizing security, not only to protect their businesses but to become more attractive partners and vendors.
While nothing matches the urgency of a company scrambling to fix security problems after it’s experienced a breach, companies are moving fast to make security improvements that look a lot like the standards that regulated industries have to meet.
The key here is that companies are thinking about security processes in a more modern way. These are not one-time investments in response to specific events. Rather, the changes represent a way of doing business that positions companies as trustworthy leaders in cybersecurity preparedness.
2. Documentation requires (and proves) forethought
The foundation of any IT security framework is policies and procedures. The work required to think through and develop the documentation that defines how an organization securely manages its processes pays off in a lot of ways:
- Safeguards the organization
- Defines access rights
- Lays the groundwork for managing change
- Ensures scaling that’s faster and more seamless
- Serves as training material
- Provides proof of secure information exchange
- Facilitates audits
Getting the security documentation right isn’t always easy, but forward-thinking organizations believe it’s worth the effort. And if they have institutional memory regarding processes that haven’t yet been formally documented, getting it in writing protects the company and helps it scale.
Guiding principles set the stage for successful documentation, such as the principle of limiting access to certain data or documenting each step for future audits. When these principles are communicated clearly to everyone — employees, business partners, vendors — the policies that flow from them become business assets.
3. Customers are demanding it
The weakest link in a company’s security is often its third-party vendors. Even trusted business partners must now prove that they operate in ways that won’t put other partners at risk. Partners and vendors must now submit to audits and provide security documentation on an ongoing basis. And it’s not just companies doing business in regulated industries that have to prove they’re secure. Almost all organizations are at risk from bad actors.
This is why solid cybersecurity documentation can result in new business, or at least fewer barriers to entry. Today, IT security requirements are incorporated into standard RFPs because companies need their vendors to be as secure as they are. Financial services firms, publicly traded companies, and other regulated industries are all requiring compliance-level security processes and so are manufacturers, research companies, and other companies with supply chains and data to protect.
For guidance, forward-thinking companies turn to guidelines provided by ITIL, NIST and SANS Critical Security Controls. And beginning in May 2018, if they want to do business with companies in the European Union, they will need to meet the consumer data protection requirements of the EU’s General Data Protection Regulation (GDPR).
It’s clear to many businesses that to compete, they need to update the way they think about IT security. As a managed IT service provider, Leapfrog has been helping clients transform their IT networks and infrastructures into secure, business-building environments for 20 years. Every environment we design has security built in. Leapfrog is SSAE-18 compliant and we document everything we do and encourage our clients to leverage our secure operations to help them win new business. Why reinvent the IT wheel when they can use ours? Help with audits, compliance issues, internal and external threats, disaster recovery planning and execution (including DRaaS) are also part of what we offer. If your organization is interested in improving your IT security framework, please give us a call.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.