The Myth of (Non)Compliance - Abacode Blog
The Myth of (Non)Compliance
Jeremy Rasmussen | 5 Minute Read

Guess what? You’re going to be compliant with something

In certain sectors, we’ve heard the claim that there’s really no industry standard or governmental regulation regarding cybersecurity.

Construction, manufacturing, engineering, consulting, logistics and distribution, maritime, property management — just to name a few — are places where we’ve heard this. Unsurprisingly, these industries are also where Abacode has been called in most often for Digital Forensics and Incident Response (DFIR) after data breaches.

The hard truth is, whether your industry demands it or not, you’re going to be compliant with something. If you’re not applying cybersecurity best practices, then you’re compliant with ZERO.

Why do we have standards in the first place?

Per the U.S. National Institute of Standards and Technology (NIST), standards do the following:

  • Provide a common language to measure and evaluate performance,
  • Make interoperability of components made by different companies possible, and
  • Protect consumers by ensuring safety, durability, and market equity.

Of course, there are some arguments against having standards, such as the following:

  • Allow for rapid introduction of new technology,
  • Differentiate among operators, and
  • Foster healthy competition.

By our nature, people hate having to conform to some norm of expected behavior. And there’s always a cost associated with having to meet it. However, arguably, industries lacking standards are doomed to greater expenses because you’ll have competing, incompatible models vying for market share. And in the case of cybersecurity, cleanup costs always dwarf the price of preparedness.

So, let’s look at the reality of compliance: every sector must address cybersecurity best practices, regardless of any formal mandates. Whether B2B or B2C, handling your customers’ sensitive and private data with kid gloves is expected behavior – even in industries with “no” regulation. The Federal Trade Commission (FTC) will see to that!

At a minimum, if your business does not have all of the following in place, it’s at risk to ransomware, sensitive data theft, and other threats:

  • Performing a gap assessment versus a cybersecurity best practices framework, such as the CIS Top 20, NIST CSF, CMMC, or ISO 27001.
  • Designing security controls and process implementation to address gaps.
  • Implementing formalized cybersecurity policies and procedures throughout the organization.
  • Regularly scanning and patching vulnerabilities/misconfigurations both externally and internally.
  • Continuously monitoring for security incidents, and responding to address these in a timely manner.
  • Performing external/internal network, Web, and application penetration testing at least annually.
  • Providing cybersecurity awareness and phishing training for employees.
  • Managing governance, risk, and compliance (GRC) on a continuing basis (i.e., collecting artifacts, updating reports, etc.)

Let’s be frank: being compliant will not necessarily make you secure. We have seen companies that just “check the box” – for example, scrawling out some policy documents right before the auditor arrives, while never actually implementing these in the operational environment. Such “compliance” efforts may be even more dangerous than having nothing in place at all, because they create a false sense of security.

A “real” cybersecurity program takes a concerted effort and commitment on the part of the entire organization beginning with executive leadership. Cybersecurity cannot be a grassroots efforts of the IT Department. If the C-suite is not only involved, but leading the compliance effort, the cyber program will fail.

As illustrated by the following clichés, it’s easy to see why this is:

  • What? Me worry? Executive leadership often is unaware of what they should be doing. Thinking that cybersecurity is a technical issue (perhaps too technical to understand!), they leave it up to their IT leadership – who may or may not know what best practices should be in place. The C-suite really needs to understand that cybersecurity is a business issue first, and technology second.
  • Put your money where your mouth is. Cyber budgets often lack the funds they require due to management feeling as if they are just pouring money into a black hole. Consequently, this signals to the rest of the organization that management isn’t really serious about solving the problem. However, there are methods to quantify risk and show ROI on cyber spending, providing a “win” in the game for CFOs.
  • Do as I say, not as I do. Executive leadership are often the worst offenders when it comes to being victims of social engineering and other attacks (usually because they want the rules to apply to everyone else, but not themselves – even though they are the highest value targets!).

Hopefully, you’re convinced by now that every business needs to be compliant with cybersecurity best practices. But if not, consider this: cybersecurity as a business enabler rather than a business expense.

Increasingly, we’re seeing supply chain pressures that trump any regulatory requirements! In other words, companies are finding themselves in the position of having to show some level of cyber due diligence to partners with whom they do business. For example, a small auto parts manufacturer found itself at risk for losing a huge contract with a leading carmaker because they didn’t have cyber best practices in place for handling the latter’s proprietary engineering data. In this case, having to spend $100K to earn $10 million was a no-brainer.

The good news is that, as daunting as that minimal list of best practices appears at first glance, there is outsourced help available to manage all of this for you – regardless of your industry.

Abacode is one of a new breed of Managed Cybersecurity and Compliance Providers (MCCPs) that looks at cybersecurity holistically and provides not only deep, experienced technical acumen (e.g., penetration testing and 24/7 security operations) but also broad knowledge in governance, risk, and compliance. Abacode is one of the representative vendors mentioned in the seminal MCCP research report published by the Cyber Theory cybersecurity think tank.

The reasons you should consider outsourcing this work versus DIY:

  • Experienced, qualified resources are difficult to find. There’s a worldwide shortage of cybersecurity talent. Go with a consultant that already has a stable of talent.
  • Hiring dedicated staff is expensive and doesn’t necessarily cover all the bases. For example, if you were going to run your own 24/7/365 security operations, you’d need a minimum of six staff (two per shift, around the clock). With managed services, you get an entire team for the price of 1-2 full-time employees (FTEs).
  • Due to major budget and headcount cuts in IT despite increased cyberattacks and demands on IT, 83% of IT leaders are looking to outsource security in 2021.