In an era of heightened cyberthreats and data breaches, there’s been an increasing focus on regulatory compliance. In addition to the global effort to enhance data privacy, the SEC has updated incident reporting guidelines. Businesses face increasing pressure to maintain compliance across regions, mitigate risks and improve consumer protection and stakeholder trust.
Transparency and Accountability in Cybersecurity Practices
The SEC has adopted rules requiring companies to disclose cybersecurity incidents by providing information about their nature, scope and impact. Businesses must also provide accurate, detailed disclosures and avoid generic or misleading information about cybersecurity risks and incidents. The SEC emphasizes the need for effective internal controls and procedures to help provide timely, accurate reporting of cybersecurity incidents and evaluate the incident’s impact on the company’s risk profile. Organizational efforts in these areas don’t go unnoticed either, as the SEC has recognized companies that cooperate with investigations and take steps to remediate control deficiencies.
The Most Likely Challenges IT and Security Teams May Face
To comply with these regulations, companies must build robust systems focused on preventing and managing incidents; however, IT organizations and security teams charged with this task will experience some challenges. A lack of cross-functional collaboration is one such challenge.
Security is often seen as a “business” problem rather than a technology issue. This can create silos between legal, risk or compliance departments and IT, engineering and security teams. This disconnect makes it harder for IT teams to advance conversations about cybersecurity risk management in the software development life cycle.
Budget constraints and resource allocation can pose challenges, such as misaligning priorities. Development teams usually see security requirements as “yet another requirement” besides what the product needs instead of as an integral part of it.
And finally, there is the ever-evolving technology landscape. As organizations adopt new technologies like cloud computing, AI and the internet of things (IoT), they introduce knowledge gaps across organizations — making it challenging to create a threat intelligence system.
How to Overcome These Challenges
Below are a few examples of how organizations can overcome these challenges to remain compliant and uphold their cybersecurity practices.
1. Building Security Champions Across the Board
Security isn’t solely the CISO’s responsibility. It should extend beyond the security team to those who develop and manage applications and infrastructure. The key is fostering allyship by identifying and training security champions across teams.
2. Develop an In-Depth Incident (Internal and External) Response Plan
Create a list of actions to be taken when an incident occurs, train teams in advance and assign responsibilities and ownership to teams for the actions outlined in the plan. Outline the distinction between internal and external communication, as publicly listed companies need to be more cautious about public statements, which may result in slower and more deliberate communication. However, internal communication should be swift to help maintain optimal response times. Identify tools, processes and approvals in advance and automate them as much as possible to minimize human errors while incorporating human review and approvals as part of workflow automation.
3. Make Cybersecurity an Organization-Wide Priority
Business units must prioritize security. Allocate necessary bandwidth and budget to address security-related issues. Train teams on security practices, emphasizing the business and reputational impacts of non-compliance. Implement reward systems for teams that align with the organization’s security policies, fostering positive reinforcement and commitment towards security.
4. Integrate Security and Compliance Into the Product Development Life Cycle
To manage security proactively, creating a security tech debt list and developing a plan to minimize it with each release is essential. This includes verifying that new releases don’t contain any CVSS critical and high-score CVEs and aiming to reduce the number of CVEs by 5% with each subsequent release.
Additionally, implementing mandatory security clearance for Tier 1 and Tier 2 releases is crucial to screen for security and compliance artifacts, thereby reducing post-launch risks. For Tier 3 releases and below, it’s important to mandate the reporting of security metrics and commitments to reduce security debt. This structured approach helps address security vulnerabilities and maintain a robust security posture.
5. Overcome/Modernize Legacy Systems
Legacy systems often rely on software that vendors no longer support. The common vulnerabilities and exposures (CVEs) identified in such software make critical applications susceptible to exploitation, significantly contributing to security incidents. To mitigate these risks, it’s essential to establish a plan for periodically modernizing software. This includes strategies for refactoring and upgrading legacy software to avoid emergencies.
6. Adopt Automation and Modern Solutions
Finally, invest and implement automation, which is crucial in managing security. By deploying automation solutions, your organization enhances efficiency, consistency and speed in identifying and responding to threats.
Some of the areas that will benefit are:
- Faster Threat Detection and Response: Automated systems can quickly identify and respond to security threats, reducing the risk of breaches. This proactive approach facilitates continuous improvement in threat detection and mitigation.
- Streamlining Routine Tasks: Automation handles repetitive tasks like patch management and vulnerability scanning, freeing up security teams to focus on more complex threats and strategic initiatives.
- Enhanced Compliance Monitoring: Automated compliance tools help organizations adhere to regulatory standards by continuously monitoring and reporting on compliance activities. This reduces the risk of non-compliance and provides a clear audit trail.
The challenges in advancing compliance conversations are significant. However, they provide IT teams and CISOs with opportunities to demonstrate leadership and innovation. IT and security leaders can gain a competitive advantage and drive further success by leveraging automation, aligning compliance with business goals and fostering cross-team collaboration.
