WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Compliance: A Brief History, Challenges Today, and How to Best Address Them

The compliance scene is complex and ever-changing. Here are ways teams can stay ahead of it.

Strata Consulting was founded in 2011 with a mission to help companies build scalable, secure, and efficient security programs and infrastructure. In that span of time, we have seen a lot of security programs and have worked with companies of all sizes and types. From the small two-person startup that has grown to thousands of employees and subsequently IPO-ed, to large biotech companies that have embarked and since then completed infrastructure transformation from on-premise data centers to hybrid cloud–we have seen a lot of security programs at different stages of maturity and have helped many companies complete their objectives.

The truth is–companies today face a much more challenging security and compliance environment than in the past. When I first started my career in the nineties, building secure infrastructure and security programs was something done only by the largest companies. For smaller companies, security and compliance requirements were relevant insofar as it made business sense to apply best practices. It was not so much that they thought security was not important, rather most were focused on developing products and making them available.  

A Brief History of Compliance

Prior to the year 2000, compliance was largely the domain of companies working with governments and companies dealing with regulatory and legal requirements. Security and compliance standards existed with NIST and SAS 70. Companies leveraged these as best practices, and compliance was applicable to those that worked with large organizations requiring these practices.  There was no forcing function for the majority to be compliant.

The 2000s was a period where we saw the seeds of mainstream compliance being planted. In 2004, PCI stepped onto the scene with PCI v1.0 to mandate requirements for companies that process, transmit, store or accept cardholder data. SAS 70 from the AICPA was used to demonstrate control objectives and validate control activities. First published in October 2005, ISO 27001 was later revised in October 2013 to better accommodate the changing information security challenges. Back then, the requirement to be ISO 27001 compliant mostly applied to companies in Europe or those working with them.

The 2010s was a Renaissance period for compliance.  Alongside the rise of cloud services and globalization, we saw rapid maturity and adoption of compliance standards. In 2010, the AICPA introduced SOC 2 and Service Organization Controls to replace SAS 70. ISO 27001 became more relevant as companies continued to market their services all over the world, especially in Europe. We also saw the rise of privacy compliance due to the invalidation of the US-EU Safe Harbor and eventually the requirements for the GDPR in 2018.

Fast forward to the 2020s and we see that security and compliance have gone fully mainstream. Today, due in part to the proliferation of cloud services and rising maturity in risk management, companies regularly come under the scrutiny of customers for security requirements and are held accountable to a swath of different frameworks, including, but not limited to these:

  • SOC 2
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • PCI
  • HIPAA
  • HITRUST
  • FedRAMP
  • CMMC
  • NIST 800-53
  • NIST 800-171
  • GDPR
  • CCPA
  • APEC

As more companies pursued the compliance requirements above, their third-parties and vendors were also required to maintain similar processes. This cycle had a positive effect in requiring security compliance to become more mainstream, but also made it a challenge for companies of all sizes to implement and maintain.

Key Compliance Challenges Today

Among the many security and compliance challenges companies face today, these are the ones we see over and over again.

  • More security and compliance requirements. Keeping up with more security and compliance requirements as the company grows.
  • Privacy requirements. Keeping up with privacy regulations and their intersection with security and compliance.
  • Decentralizing security. Making security a part of every individual and department instead of being owned and enforced centrally. 
  • Customer security requests and audits. As companies acquire more and larger customers, they are subject to more and more difficult security questions and are often required to support customer audits.
  • Changing and increasing compliance scope. Managing compliance evidence and requirements in the face of changes or increases in scope and environment(s).
  • Complexity in managing cloud risks.  Complexity in managing risks on a technology stack that uses multiple cloud service providers and where there is shared responsibility to protect data.
  • Effective incident response. Challenge of implementing and managing effective incident response processes.
  • Security monitoring in the cloud.  Adequate and reliable security monitoring of data and infrastructure in the cloud.
  • Effective vulnerability management.  Managing vulnerabilities across cloud providers and the technology stack.
  • Security staff turnover. Employee turnover in security and compliance resulting in the loss of valuable domain knowledge.
  • Shortage of security and compliance staff. Shortage of resources to keep up with the increase in demand.

No Silver Bullet for Compliance

How do companies address these challenges?  

While there is no silver bullet, companies can opt to leverage baseline approaches that have worked in the past, as well as take advantage of improved tools, technology, automation, and experienced resources that are available today to address these challenges.  One downside to many approaches that have worked in the past is that they tend to be manual and require constant maintenance to keep up to date.

The following are key areas to systemize well in order to adequately address challenges:

  1. Controls, policies, and procedures management 
  2. Audit management
  3. Change management
  4. Vulnerability management
  5. Risk management
  6. Vendor risk management
  7. Customer response management
  8. Incident management
  9. Privacy management

Although we wish we could answer with a single product or service, compliance still requires companies to continually assess how to manage their people, processes, and technology to mitigate their risks. Companies must focus limited resources against the ever-growing landscape of threats and regulatory requirements. 

Better Ways to Systemizing Compliance

Here is a summary of these key areas and the baseline ways we have seen companies attempt to systemize addressing them.  We also provide some recommendations on a better approach.

Key Areas to Systemize

Baseline

Better

Control, Policies, and Procedures Management

  • Build and maintain a common control spreadsheet and map controls to applicable compliance
  • Review and update policies on a regular basis in a content management platform or internal site that allows version tracking
  • Standardize security policies and procedures in a location accessible by all employees
  • Evaluate and select an effective GRC tool to manage security controls, policies and procedures. Leverage the tool to establish a common control database 
  • Use a GRC tool that includes mapping to the compliance framework(s)  

Audit Management

  • Build a control narratives document, supporting how controls are met so they can be used in subsequent years
  • Organize evidence used to support each audit in the folder
  • Leverage control narratives and well organized evidence tracked to meet subsequent years' compliance requirements
  • Use an effective GRC tool to manage compliance and customer audits
  • GRC tool can be used to manage and disseminate audit narratives and audit procedures to control owners 

Vulnerability Management

  • Maintain a common repository for vulnerabilities in the primary vulnerability management tool and/or spreadsheet
  • Leverage capable vulnerability scanning tools to perform regular scans of the networks
  • Conduct regular penetration testing with a skilled and reputable testing vendor or resource


  • Conduct more regular penetration tests on a continuous basis as the environment changes
  • Use a modern vulnerability management tool that has intelligence on cloud provider vulnerabilities
  • Integrate with cloud providers to gain a more clear and accurate picture of vulnerabilities
  • Leverage vendors that can provide penetration testing as a service and are able to deliver results as they find them
  • Remediate vulnerabilities quickly in a time frame commensurate with their risk level and threats
  • Leverage vendors that can feed vulnerabilities and penetration test findings into a GRC tool to view and action in context of the overall risk to the organization

Risk Management

  • Create a standard risk register 
  • Conduct risk assessments at least on an annual basis
  • Update the spreadsheet
  • Review and follow up on risks with risk owners
  • Combine a GRC tool with an effective risk management tool
  • Conduct risk assessment on a continuous basis
  • Train the organization to input new risks into the risk tool as they arise
  • Review and address risks on a regular basis (e.g. weekly, monthly, quarterly)
  • Integrate GRC tool with key systems to periodically gather risk data from customer systems

Vendor Risk Management

  • Send vendors a standard organizational risk assessment questionnaire 
  • Analyze the response for key risks
  • Follow up on questions
  • Request vendors to address risks as suggested by the vendor risk process
  • Combine a GRC tool with an effective vendor risk management tool and integrate with the overall Risk Management process
  • Send vendors the risk questionnaire using the GRC web tool
  • Leverage GRC tool to review and approve vendors before onboarding
  • Establish consistent vendor onboarding/offboarding
  • Conduct periodic reviews to assess risk

Customer Response Management

  • Create a standard customer response register in a spreadsheet
  • Respond to customer questionnaires 
  • Use a GRC tool to transfer responses from previous customer questionnaires to new questionnaires 

Privacy Management

  • Review and update privacy policies on a regular basis in a content management platform or internal site that allows version tracking
  • Standardize privacy policies and procedures in a location accessible by all in the organization
  • Leverage a privacy management tool to track privacy controls and how they map to target regulations such as GDPR, CCPA, APEC, etc.
  • Leverage a tool to fulfill privacy requirements such as cookie compliance, data subject requests, etc

 

What’s Next?

Strata have found that teaming up with Cobalt helps companies maintain a security vulnerability management practice. Continuous monitoring and testing of one’s environment helps build a more real-time and accurate risk profile. Further, continuous penetration tests supply data that can identify whether the compliance program and information management systems are operating effectively. If a penetration tester is able to exploit vulnerabilities and bypass company controls, this is feedback on where to improve.

As technology and organizations continue to evolve with risks and threats, we expect compliance to also evolve and change.  To keep up with these changes, companies need to rely on fundamentals that work while leveraging tools, experienced resources, and automation to scale alongside growing scope and complexity.

As a company that has been working in the forefront helping others build and evolve security and compliance programs with a collective 150+ years of experience, Strata looks forward to the future and helping customers adapt to meet these challenges.

 

Back to Blog
About Thomas Fou
Thomas is the CEO & Founder of Strata Consulting, a premier consulting firm based in the San Francisco Bay Area focused on delivering world-class Security, Compliance, DevOps, and Infrastructure consulting services. He has over 18 years of experience helping companies build and manage IT and security programs. More By Thomas Fou