There are fewer closer relationships in the C-Suite than the CISO and the Chief Compliance Officer (CCO). CIO/CTOs’ might have the closest relationship, but theirs is on the execution side, as a company’s CISO can’t secure the IT environment without the support of the technology team.
The CISO’s relationship to IT represents the “how” of information security. As the CCO, you’ll work closely with the CISO on the “why” of cybersecurity.
In a perfect world, good cybersecurity exists from the beginning to protect the company assets. In the real world, the belief that “it can’t happen to us” kept many companies from investing in cybersecurity.
Thus, regulations and industry standards were developed to give companies an extra nudge to do the right thing. The payment card industry launched the Payment Card Industry Data Security Standard (PCI-DSS). Healthcare data got the HITECH Act to set some security standards, giving a safe harbor to companies following its baselines. And most recently, the SEC has provided rules to public companies around cybersecurity preparedness and incident disclosures.
Compliance at the Beginning
For many companies, the journey into cybersecurity began with compliance. Passing an audit, getting an attestation, or a report of compliance became a requirement to continue to do business with banks, partners, and customers. Since these standards include basic cybersecurity hygiene, putting the controls in place becomes a priority. Most data security frameworks share common controls, such as encryption at rest and encryption in motion. A company can cover many different compliance requirements with a single security plan.
The CCO’s responsibility grew to include cybersecurity requirements, but they always covered more than the technology side of the business. Your responsibilities extend into operations, human resources, and more. As the CCO, you need to understand the full compliance environment in which the business operates.
Not only do compliance frameworks often include information security, but they also extend into growing areas such as privacy. Implementing privacy also has a natural connection to technology. No matter which way you turn, you need a close alliance with the CISO.
It’s a mutually beneficial relationship
Likewise, the CISO benefits from your efforts because many of the technical controls they would like to implement are also required for compliance reasons. From encryption to monitoring, and even multifactor authentication, modern compliance standards dictate the minimum bar of good information security.
When the CISO is struggling for budget approval, they often look for an ally with the CCO. Whether or not leadership thinks they need security, they typically will agree to the necessity of being compliant with the laws and regulations of the industry.
Cybersecurity is risk management. The risk of noncompliance has been a major factor in traditional risk analysis. When building out the risk matrix, the risk of breach may be low, but the risk of noncompliance is typically high. Between audits and whistleblowers, regulatory noncompliance can be hard to hide. And when it’s discovered, the loss of business and cost of penalties provides a strong financial reason to stay ahead of the requirements.
Don’t just “check the box”
While the CISO/CCO alliance can be a benefit, the business needs to be careful of not just doing “check the box” compliance. This may seem like a cost-saving approach, but instead, it’s really a poor use of capital.
When you’re doing the bare minimum to meet compliance requirements, you are also not getting the true benefit of the cost being spent. The controls will never be as effective since people don’t truly believe in them. The risks they are designed to mitigate will not be as managed as leadership believes.
This is where creating a culture of security and a culture of compliance becomes a unified effort. You and your CISO should make the efforts part of the company culture. Draft policies and design procedures built around your company values. Encourage employees to do the right thing, every time, and reward those who do. Build safe mechanisms for people to report gaps and risks. Fix them when they are found. Promote a “see something? Say something!” environment for all business risks.
Making security and compliance part of your culture aligns the CISO and CCO’s efforts. It aligns the business’s strategy and tactics with those efforts as well. It keeps the risk management exercise aligned with the business’s goals. This alignment has the obvious benefit of lower costs and effort to implement the necessary programs. It also allows leadership to enjoy cost savings.
A holistic view of compliance and security allows controls to cover multiple domains. Evidence of compliance can serve multiple audits. Even audits may have the ability to reduce their costs, where the information can be shared.
The Wrap
Lower costs, less effort to implement for the team, and more effective, real risk mitigation are the benefits to be realized when you and the CISO work together. You can replace “check the box” compliance with real protection for the business. You can have real, measurable results to reduce risks and keep other compliance costs, such as insurance, lower. The return on investment is real, in preventing future larger losses. The outcome is obvious, and the growth and success of the business will be better for it.
Make sure the CCO and CISO are joined at the hip at your company too!
