Throughout all major industries there are basic sets of standards and policies that govern security practices within the scope of their influence. For many of these groups, compliance is mandatory. Mandatory compliance aside, the standards defined by the industries that relate to your organization will help you implement effective security practices.
The strategy of aligning a security program to a framework that accounts for business goals, risk management, and industry regulations is referred to at GRC, short for governance, risk, and compliance. Basically, you start with a set of standards for your industry—including laws, regulations, and best practices—and design a program that not only helps your organization stay in legal compliance but also assures your security strategy is supporting the business goals of the organization.
If you’re unsure how to start or improve security practices, using industry standards can be a boon to what may feel like an overwhelming objective. The roadmap to compliance is already defined by industry experts and will help guide you through the process from start to finish.
Compliance to industry standard security policies isn’t just a good roadmap but also helps with liability. Effectively, a program grounded on GRC can speak for you in court: “Your Honor, we can prove that we have effectively done everything within our power to adhere to the security practices defined by HIPAA, PCI, NIST, etc.”
Even if you’re a small mom/pop company with no need for regulatory compliance, there are still good frameworks that exists to help improve your security posture. The 20 CIS (Center for Internet Security) Controls & Resources (CIS20) is a great way for a small organization to begin an incremental development of a security program.
In other words, using GRC as a foundation for your security program takes away much of the guess work and helps ensure an effective and efficient path to a strong security posture.
Do your research and find the security policies that make sense for your organization. Are you in healthcare, finance, defense, etc.? If you know what kind of business you’re seeking, this should be an easy process.
Sometimes it isn’t as obvious what standards apply to your market segment. If you want to start checking boxes until your customer base is more defined, I highly suggest using NIST 800-53. As a standard set by the National Institute of Standards and Technology out of the U.S. Department of Commerce, NIST 800-53 serves as a model for many industry specific security frameworks. Using NIST 800-53 as a baseline will put you miles ahead when you do finally set out to define the scope of your compliance
Next, you need to create your organization’s playbook. Whether it’s regarding incident response, vulnerability management, purchasing, contracting, etc., your team should have a playbook that they can refer to.
A good playbook makes sure that business decisions are made in a way that will ensure security is handled proactively and not reactively. A good playbook can also help team leaders to make decisions confidently and provide a course of action in times of chaos.
Finally, you must keep up with revisions to security policies that you’ve committed to following. The landscape changes rapidly in cybersecurity, and, consequently, so do the standards and best practices designed to address it. Staying up to date on standards and your GRC policies will not only help with continuous compliance but also ensure you’re reevaluating your security posture on a regular basis.
GRC is the cornerstone to a strong security program and the foundation upon which your pillars (see “The Three Pillars of Cybersecurity”) will stand. By defining and adhering to the framework of policies that best fits your industry, you will automatically build your own strong and resilient security apparatus. Every organization is unique, and it’s hard to define what will be the most effective security practices for your organization. Use GRC to guide your organization and improve resiliency.