At the close of NetDiligence’s “Building a Compliance Program Without Breaking the Bank,” panelist Steve Greenawalt (DFDR) recommended two immediate actions for organizations – enable two-factor identification and keep an eye on the big picture of the risk landscape. This zoom-in/zoom-out approach characterized the entire session, with moderator Josh Mooney (White & Williams) leading panelists Greenawalt, Liz Hinkle (2U), Kerry Manaster (Cloud Security Alliance) in a discussion that shifted focus rapidly between the eagle’s eye view and the nitty gritty.
Manaster delved immediately into details with descriptions of existing legal frameworks (NIST, ISO, and CIS) that could be considered when building a program. He recommended that companies choose carefully, noting standards may be different domestically versus internationally. Hinkle countered with a big picture approach, suggesting that organizations take time to assess their resources and appetite for risk as they begin the process. Some questions that might be considered: Who is the program for? What resources of time and personnel can be devoted? How does security interplay with the company’s product? What expectations exist within the executive team, workforce, customers, and potential auditors?
Both Manister and Hinkle stressed the importance of involving cross-functional teams in the development process and of maintaining a developmental mindset. Cross-functional teams are essential for identifying risk across the organization, building trust and buy-in from all sectors, facilitating communication and training, and possibly serving as a pilot group in a phased roll-out. The developmental mindset will assist in prioritizing the establishment of controls, since not all risks can be addressed at once. Furthermore, documenting choices and priorities along the way will allow the program to be refined as needs change.
As the panel turned to practical considerations of set up and onboarding, Greenawalt returned to the basic purpose of risk assessment: to systematically uncover and quantify risks as the first step to eliminating, mitigating, or accepting them. Data itself is a risk, and understanding how it is used, where it is stored, and when it can be discarded is essential. In support of this idea, Manister recommended tracking workflows to understand how data comes into organizations and to identified redundant data sets. Similarly, organizations should track devices in a systematized way.
On-boarding and off-boarding of staff and vendors provided another area of concern. While organizations tend to be cognizant of on-boarding, they may miss the importance of managing horizontal moves within an organization and may find the off-boarding process complex. As with all facets, the need to assess and update controls as an iterative process is essential.
In the end, ground-level controls and techniques must be part of big-picture thinking. Hinkle encapsulated this mindset, calling on organizations to “proselytize the lens” of security – creating an organizational culture that includes everyone and builds products that incorporate cyber security in their design.