Compliance requirements are meant to increase cybersecurity transparency and accountability. As cyber threats increase, so do the number of compliance frameworks and the specificity of the security controls, policies, and activities they include.

For CISOs and their teams, that means compliance is a time-consuming, high-stakes process that demands strong organizational and communication skills on top of security expertise.

We tapped into the CISO brain trust to get their take on the best ways to approach data security and privacy compliance requirements. In this blog, they share strategies to reduce the pain of dealing with the compliance process, including risk management and stakeholder alignment.

Read on for recommendations for turning compliance from a “necessary evil” into a strategic tool that helps you evaluate cyber risk, gain budget and buy-in, and increase customer and shareholder confidence.

Which CISOs care most about compliance?

How CISOs view cybersecurity compliance can vary greatly, depending on their company size, geography, sector, data sensitivity, and program maturity level. For example, if you’re a publicly traded company in the United States, you’ll have no choice but to comply with multiple regulations, as well as maintain risk assessments and corrective action plans.

If you’re a government agency or sell to one, you’ll have specific compliance public sector requirements to meet. Banks, healthcare organizations, infrastructure, eCommerce companies, and other enterprises have industry-specific compliance rules to follow.

Security does not equal compliance.

Even if you don’t fall into one of these categories, there are many reasons you’ll need to demonstrate security best practices, such as seeking SOC certification or applying for cybersecurity insurance. For all organizations, broad cybersecurity compliance frameworks like NIST CSF and ISO provide models to follow and structures for communicating results.

That said, “security does not equal compliance” is a mantra often heard among CISOs. Certainly, just because you’re compliant, that doesn’t mean you’re secure. Highly mature cybersecurity organizations may consider compliance the bare minimum and go well beyond the required components to protect their organizations.

Compliance as a business enabler

While a CISO can recommend cybersecurity investments and practices to meet compliance requirements, they aren’t the ultimate decision-maker. Therefore, a key responsibility of a CISO is communicating the risk of non-compliance and working with other company leaders to decide which initiatives to prioritize. Risk, in this context, incorporates not just technical risk, but also business risk.

Steve Zalewski, former CISO of Levi Strauss, likes to use the “carrot and stick” metaphor. “Audit and compliance historically have been the stick that makes you have to do something,” he shares on the Defense-in-Depth podcast, “but making [you] do it doesn’t mean that the business is aligned to the value of doing it.” To avoid friction, he recommends showing people the business value of compliant cybersecurity. “There has to be a carrot component to make them feel like they have a choice in the matter,” he says.

Leadership must weigh the costs and benefits of ensuring compliance with the potential costs of non-compliance

Let’s say an organization isn’t fully meeting a security best practice for privilege management. While non-compliance could result in regulatory fines and shareholder lawsuits, the underlying security gaps could cause an even greater impact on the business, including downtime, ransomware payments, and revenue loss. Meeting compliance requirements, on the other hand, could deliver business value, such as faster sales, stronger partnerships, or lower cyber insurance rates.

As part of a comprehensive risk management program, boards and executive leadership must weigh the costs and benefits of ensuring compliance with the potential costs of non-compliance. In some cases, they may decide that a certain level of risk is acceptable and choose not to implement additional safeguards. In other cases, they may double down.

How CISOs use compliance frameworks to plan their cybersecurity roadmap

Some CISOs use compliance frameworks as a methodology for techniques and processes to incorporate in their cybersecurity program. Essentially, they inform program priorities and create a shopping list for must-have solutions that align with the program they’re trying to build.

On the Audience First podcast, Brian Haugli, former Fortune 500 CISO, sees a difference between being compliance-dependent and using compliance frameworks to guide informed risk management.

“We can’t be black and white. We have to be able to make risk-based decisions, to say, ‘I will accept this risk because I can’t afford to close it right now. But I will do these things to mitigate risk to a low enough level that allows me to accept them.“

CISOs need partners in compliance

CISOs aren’t in the compliance boat alone. They must build partnerships with legal teams, privacy officers, and audit or risk committees to understand changing compliance requirements and decide how to address them.

Sometimes these internal partners require security teams to implement stronger controls, but they can also put on the breaks. As one CISO of a fast-growing technology vendor told us, “Frankly, Legal outweighs me every day of the week. They tell me what I can and can’t do. I would love to be able to monitor everyone’s behavior, but privacy laws say I can’t do that.“

Compliance teams do many things that security engineers and analysts don’t have the time or resources to do. They hold security accountable, double-checking that the controls are working as expected. They act as intermediaries between security teams, regulators, and auditors to demonstrate compliance, whether that means collecting evidence through manual security questionnaires or via technology integrations.

For example, for a public sector certification, security controls need to be monitored, logged, and retained for at least six months of data to evidence that they’ve done what they said they were going to do.

Tools and resources that support compliance

Risk registers are helpful in aligning all stakeholders by documenting all risks and organizing them by priority. With everyone looking at the same information, you can agree on appropriate actions. As part of a risk management program, policies, standards, and procedures are regularly reviewed, and any changes approved before implementation.

Using tools like GRC systems and continuous compliance monitoring, organizations can track ongoing security activities and report results. GRC systems can link to SIEMs to collect logs and vulnerability scanners that show checks were completed. “Instead of shuffling spreadsheets around, we’ve built various connectors that integrate with our GRC platform to evidence that we are in compliance,” explains the tech CISO. “They map across certifications in a single pane of glass, so when an auditor comes in, we show them a screen that says, ‘Here’s the evidence.‘”

In addition to tooling, many companies rely on third parties to conduct compliance assessments. They may perform an internal compliance audit before an external one to make sure there are no surprises if regulators come calling.

Comply once, Apply to many

Most organizations have numerous compliance bodies they must answer to, as well as cyber insurance providers, customers, and partners. While compliance can be a burden, the good news is that there are techniques to streamline the assessment process. “If you look across all the major compliance bodies, about 80% of the requirements are the same,” says the CISO of a SaaS provider. “You can align with a framework like NIST and apply the same practices across them all.“

For example, Privileged Access Management (PAM) requirements like password management, Multi-Factor Authentication (MFA), and Role-Based Access Controls are common across compliance frameworks. You can dig into the specifics to see how PAM shows up in a variety of compliance requirements on Delinea.com.

Emerging compliance requirements

Compliance is a fluid space with requirements that evolve to address changing risk patterns and business conditions. CISOs are looking to compliance bodies for guidance on managing emerging cyber risks, such as Artificial Intelligence.

Moving forward, CISOs expect that ensuring compliance will become an even greater part of their job. As the industry faces ever-growing threats, compliance is a key part of a strategic and comprehensive approach to cybersecurity risk management.

For more on this topic, check out Delinea’s 401 Access Denied podcast episode: Securing Compliance: Expert Insights with Steven Ursillo

Need a step-by-step guide for planning your strategic journey to privileged access security?

Start with a free, customizable PAM Checklist.

Mar 08, 2024NewsroomInteroperability / Encryption

Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union.

“This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated by the European Commission (EC) as being required to independently provide interoperability to third-party messaging services,” Meta’s Dick Brouwer said.

DMA, which officially became enforceable on March 7, 2024, requires companies in gatekeeper positions – Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance – to clamp down on anti-competitive practices from tech players, level the playing field, as well as compel them to open some of their services to competitors.

As part of its efforts to comply with the landmark regulations, the social media giant said it expects third-party providers to use the Signal Protocol, which is used in both WhatsApp and Messenger for end-to-end encryption (E2EE).

The third-parties are also required to package the encrypted communications into message stanzas in eXtensible Markup Language (XML). Should the message contain media content, an encrypted version is downloaded by Meta clients from the third-party messaging servers using a Meta proxy service.

The company is also proposing what’s called a “plug-and-play” model that allows third-party providers to connect to its infrastructure for achieving interoperability.

“Taking the example of WhatsApp, third-party clients will connect to WhatsApp servers using our protocol (based on the Extensible Messaging and Presence Protocol – XMPP),” Brouwer said.

“The WhatsApp server will interface with a third-party server over HTTP in order to facilitate a variety of things including authenticating third-party users and push notifications.”

Furthermore, third-party clients are mandated to execute a WhatsApp Enlistment API when opting into its network, alongside providing cryptographic proof of their ownership of the third-party user-visible identifier when connecting or a third-party user registers on WhatsApp or Messenger.

The technical architecture also has provisions for a third-party provider to add a proxy or an intermediary between their client and the WhatsApp server to provide more information about the kinds of content their client can receive from the WhatsApp server.

“The challenge here is that WhatsApp would no longer have direct connection to both clients and, as a result, would lose connection level signals that are important for keeping users safe from spam and scams such as TCP fingerprints,” Brouwer noted.

“This approach also exposes all the chat metadata to the proxy server, which increases the likelihood that this data could be accidentally or intentionally leaked.”