Executives in cybersecurity often hear that unless additional money is spent, the company will be hacked or that without more funds, regulatory compliance cannot be met.
By: Michael Meline (Cyber Self-Defense CEO) & Julie Stewart
A CyberSecurity program should enhance the products or solutions provided by the company. It should allow employees to be productive at conducting business, not being compliant. The biggest pitfall in cybersecurity programs is the “Checkbox Approach”. This is where the threats mentioned above are heard most often. While the checkbox approach can have specific rules to be followed, the guidelines are too generic to manage risks (identify, prioritize, and address).
- First, let’s take the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Audit protocol (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html). It states "164.308(a): A covered entity or business associate must in accordance with 164.306: (1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations."
Is there a magic number of policies that will meet requirements of this statute? Developing a canned set of policies and procedures in attempt to comply will waste time and may even harm the ability for employees to conduct business. The right number of policies are determined by creating a program based on the company identified risks.
- HIPAA audit protocol states, "164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."
I have reviewed risk assessments for potential clients that are 20 lines long. The risk assessment recommended for that company would be over 50X that number to make competent decisions. Unfortunately, many companies want to check a box instead of accurately assessing risks and responses which would later guide their success.
A checklist is not going to properly address risks. The ideal way to enable the business is to take a risk-based approach to your compliance needs analyzing areas specifically identified within the risk assessment.
This Risk Based process aid in achieving success and managing expectations. For each risk, companies can:
- accept the risk after exploring the actual threat to the business
- choose alternate corrective actions, or
- avoid the activity altogether
This Risk Based approach may often allow for the removal of expensive, partially implemented equipment and replacing it with more appropriate processes - saving the company large amounts of resources – money, frustration, and time. It removes the “do it or die” approach which is both costly and ineffective. It will most certainly effectively justify or eliminate the decision to buy or not buy a set of tools to achieve goals. Further, it will provide a clear and consistent progress report of improvement initiatives and decision making that can be used during a potential incident.
In both the long and short run, the checkbox approach is much more expensive than a risk-based program approach which addresses each risk and components instead of a generic list of to-dos. This enables the business to meet compliance and manage prioritized risks and places. Success of the business is at the center!
Ready to find out more?
Get insights on how to mitigate your CyberSecurity risk.