Top of Page
 

The Role of Culture in Compliance

The Role of Culture in Compliance

It is often said that cybersecurity is one of the fastest growing fields in computer science. Many InfoSec professionals will attest to that. One of the greatest attractants to the field is that it is a dynamic profession, with exposure to many new and interesting technologies. Another reason that it is so attractive is that its growth is creating a desperate shortage, indicating that there are numerous jobs available to qualified candidates.

If you are just starting out in the field of cybersecurity, there are many disciplines to choose from.

An Overlooked Treasure

There is an often overlooked aspect of InfoSec that is equally interesting, and lucrative. That is the area of regulatory compliance. While one may think that regulations, compliance, and risk management are under the custodial care of legal, compliance, and risk departments, that is not entirely true. Moreover, there are so many regulations in play, that it seems that organizations now have to serve many masters.

When you consider that some regulations are privacy-centric, and others are security-centric, sometimes containing language that is specific to InfoSec, it emphasizes how the responsibility for an organization to achieve full compliance is best served with the expertise of a trained InfoSec professional.

Thinking of the four most prominent regulations in recent memory, HIPAA, GDPR, CCPA, and the NYS DFS Cybersecurity regulation, they all have different focal points. If your organization has to adhere to any one, or combination, then the need for understanding and adapting to each is vital for compliance.

Is there a way for an organization to develop a unified approach to these disparate and somewhat diverse rules?

A Less-Than-Empirical Approach

One way that to can measure an organization’s level of compliance with any regulation is by observing everyone’s uneasiness at the prospect of achieving compliance. This may seem unusual, and it certainly is not quantitative by any stretch of the imagination, yet, it is a good indicator of organizational preparedness. An organization that lacks a risk-based approach, and a security culture, will go into panic mode when faced with the requirements outlined in many of these regulations.

Think of the last time that you were in a medical office, or a hospital. Have you noticed that the people working there practice good security behaviors? Some practices are imposed by design, such as automatic door locks, and elevators that are restricted from going to certain floors without proper authorization. Other security behaviors are ingrained in the culture, such as protecting printed medical charts, and locking unattended computer terminals. Why are these organizations better at these practices than non-medical facilities? It may be because the regulation governing health care (HIPAA) has been in existence for twenty-five years. This means that, just as most people who are 25 years old have never know the world without the internet, an entire generation of health care workers have never known the field without the HIPAA safeguards.

The Rest of the World Has to Catch Up

New regulations that have emerged require not only planning but also behavioral shifts. Does this mean that today’s organizations will take a quarter-century to ingrain these behaviors into the culture, as the HIPAA compliant entities have? Of course not! Not only have most organizations already enacted the regulations, but they are becoming more resilient in their ability to adapt to whatever comes next. However, the rapid adoption of a regulation does not necessarily make it part of the organizational culture. That takes a different level of effort.

This is where the value of a trained cybersecurity professional becomes evident. Regulatory compliance needs to be an ever-present thought and practice. The InfoSec team can impart security knowledge without being the “Ministers of the Gotcha”. What does this mean?

Rather than proving security by setting traps, security is best achieved through example, as well as active education. This is not a job that legal, compliance, and risk teams are interested, nor qualified to discharge. In fact, a heavy-handed, over-zealous behavior in any of these departments can actually hinder security adoption. This is why the task should fall to a well-trained InfoSec subject matter expert.

How the CISSP Credential Can Help You to Succeed

A well-trained security professional can establish the correct protocols, standards, and cadence to inject security into the culture of an organization. If you are looking to gain the skills, knowledge, and confidence to be able to fulfill the challenge of changing your organization’s security culture, the CISSP credential is the perfect proof that you are the correct person for the job.

People who possess the CISSP qualification have indicated that it is a primary confidence booster, enabling them to better accomplish their job. CISSP members have indicated that the credential has made them more effective in their jobs, not only because of their enhanced knowledge, but also because of the recognized global recognition and respect the certification.

Read More

Where can CISSP certification take you as a security professional? Explore possibilities in the latest installment of our interview series featuring Adesoji Ogunjobi, Chief Information Technology (security) Architect and Trainer with Kavod Doyen Consulting in Lagos.

Read the Blog

To discover more about CISSP read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader.

Read the White Paper
Ok