One area that can keep IT professionals up at night is compliance. Questions to consider: Are your systems up to the challenge? How should your company approach compliance management? Can AI help or hinder your efforts? Can you do it?
The answers to these questions and more were explored in a recent webinar, “Are you compliant?” The event featured Terra Cooke, Security Engineer at Lacework, and Dom Wells, Alliance Manager at DNSFilter.
Cooke began the webinar by reminding us that “good compliance is not good security,” but said, “good compliance helps reinforce good security.” Cooke said compliance efforts are about checking exactly what works and what doesn't in security frameworks. Wells reiterated that Compliance his tool provides companies with an easy-to-understand roadmap, offering “a way for companies to understand their security posture and internal practices and see where there may be gaps.” I did.
When increasing your company's compliance efforts, some hurdles you'll likely need to clear are securing the necessary available resources and gaining buy-in from management and employees. Obtaining corporate buy-in to support compliance can be costly and difficult. But Wells points out that “some of the high upfront costs may actually save you money if you actually get hacked,” adding, “It's like insurance, it helps you sleep.” added.
Several components are required to support building an effective compliance framework. There are four key focus areas for your business: people, processes, technology and data. “Compliance is very much a human aspect of security because it touches the entire business,” Cook said. Wells emphasized the importance of documenting everything for traceability, monitoring changes in vulnerabilities, identifying risk points, and focusing on training.
Hacking is a whole business and will change forever. One of the hurdles Cooke believes is overcoming the culture of shame that exists throughout security culture. Companies need to reframe their thinking about security and strengthen the mindset and importance of compliance, such as through Security Champion programs. “Companies need to do a better job of incorporating security into performance reviews so that employees understand the importance of security,” Cook said. This could incentivize non-financial companies to make security and compliance part of their employees' mindset.
A good compliance framework consists of multiple steps, all of which take time and education.
Logs, identity and access management, ensuring the right people have access to what they need to see or work on, great email web security, and a solid cyber stack that aligns with your compliance goals.
AI and compliance
Where does AI fit into compliance? There is no silver bullet that will keep you 100% protected. DNSFilter uses AI and large-scale language models, and AI helps make your life easier when it comes to compliance. “AI is very good at protecting certain things,” Wells says. AI used to only observe past behavior, but now it observes the process of behavior. “AI can do a good job of just protecting us, but don't rely on it to do the heavy lifting for you,” Wells said. “Especially when it comes to compliance, it's going to take a lot of people to get good compliance,” and security is strong. ”
Cook said he expects one of the biggest areas where AI will have an impact is risk. “AI now has so much more data to examine, ultimately providing even more bad ‘information’ to review.” Sometimes it helps refine vendor surveys by providing quantitative data as a basis for deciding which vendors to contact first.
Important points
- Build a culture of compliance from within.
- Find resources for continuous learning.
- Tell a great compliance story.
- You will be able to explain the “why” behind your efforts.
conclusion
In summary, all cybersecurity professionals need to stay up-to-date on compliance, or at least strive toward compliance. Of course, IT professionals need buy-in from all aspects of the company, from the C-suite to all employees. What's important to remember is that compliance isn't just about checking a box, it's about what you do to improve when you're out of compliance. “It’s a process and a journey,” Cook concludes.
Recent related articles:
