In the fast-paced realm of cybersecurity, the 2023 CISO Virtual Council, hosted by C-Vision International in collaboration with Firemon, brought together cybersecurity experts to delve into the complexities of compliance in hybrid environments.
Our panelists discussed the challenges posed by the convergence of on-premises and cloud technologies. Steve Zalewski, former CISO of Levi Strauss, led the panel as they explored critical questions, and the insights shared were nothing short of illuminating.
Understanding Frameworks and Preferences
Steve kicked off the discussion by probing the panelists about their favorite compliance frameworks and whether a one-size-fits-all approach exists. Tim Swope, CISO of Catholic Health Systems, expressed his allegiance to the NIST framework, considering it a baseline structure. He highlighted the adaptability of frameworks like High Trust, which acts as a crosswalk between NIST controls, tailoring them to specific verticals like healthcare.
Lawrence Wells, Director of Threat Intelligence at Optum, introduced GDPR as a regulatory control, emphasizing its customer-centric nature. Jonathan Waldrop, Senior Director of Cybersecurity at Insight Global, praised the CIS framework, citing its flexibility and alignment with different maturity levels and implementation groups.
Compliance Beyond Checkboxes
The conversation pivoted to perceiving compliance as more than a checkbox exercise. Steve challenged the panelists to explore whether compliance remains a mere cost or contributes substantially to security programs. Lawrence Wells emphasized the need to go beyond checkboxes, particularly highlighting PCI DSS and its emphasis on responsibility.
Furthermore, Tim Swope reinforced the idea of evidence-backed compliance, stressing the importance of effective implementation, monitoring, and metrics demonstrating compliance's value beyond satisfying audit requirements.
Driving Security Improvements through Compliance
The panelists discussed the role of compliance as a driver for security improvement. Tim Swope reiterated the importance of exceeding compliance to ensure a higher security standard. Moreover, Jonathan Waldrop highlighted compliance as a baseline, allowing organizations to build upon it to enhance their security posture.
Compliance in Business Relationships
Tim Woods, VP of Technology Alliance at Firemon, added a broader perspective, discussing the impact of compliance in business relationships, particularly in the context of mergers and acquisitions. He highlighted how vendor risk assessments and compliance are pivotal in strategic business decisions.
Proactive Security and Continuous Audits
Steve Zalewski challenged the panelists to explore the cadence of audits, moving beyond traditional once-a-year approaches. Tim Swope emphasized the need for ongoing audits, especially when there are changes in the organization or the scope of applications. The panelists discussed the importance of auditing processes continuously rather than relying solely on periodic assessments.
Continuous Compliance vs. Continuous Audit
The conversation then turned to the concept of continuous compliance and whether it is synonymous with continuous audit. The panelists delved into the nuances, emphasizing that compliance is the baseline and continuous monitoring and assessment are essential for adequate security.
Balancing Good Enough Security and Compliance
In the final segment, Steve Zalewski raised a critical question: Can companies strike a balance between good enough security and compliance, especially considering the financial constraints some organizations face?
Tim Swope emphasized the need for thorough research into business requirements, risks, and potential financial ramifications of cyber breaches. The consensus among the panelists was clear: "Good enough" security is no longer sufficient. Robert Cowans, Sr Manager of IT and Cybersecurity at American Airlines, stressed that cutting corners on safety can lead to severe consequences, including financial losses and reputational damage.
The 2023 CISO Virtual Council provided a platform for a candid and insightful discussion on compliance, security, and the pursuit of resilience in today's dynamic cyber landscape. The panelists' diverse perspectives and experiences underscored the significance of a proactive and holistic approach to cybersecurity, with compliance serving as a foundation for continuous improvement.
The discussion concluded with an important reminder that organizations cannot afford to settle for "good enough" security in an era of heightened cyber threats. Thus, the quest for robust cybersecurity measures must go hand in hand with compliance, forming a symbiotic relationship that fortifies businesses against evolving threats.
As the cybersecurity landscape continues to evolve, forums like the CISO Virtual Council play a crucial role in fostering collaboration, sharing insights, and collectively addressing the challenges organizations face in safeguarding their digital assets. Make sure to keep an eye on C-Vision's upcoming events for more insightful conversations.