By: Paige Goss
Share This Post
How to Get Your Security Compliant and Earn More for Your Business
What many business owners don’t necessarily realize is that security compliance is a game changer when it comes to landing bigger and better clients. If you’re a small or medium sized business looking to expand, getting your security compliant to national or international standards (i.e. the NIST Framework or GDPR) opens up a whole new world of opportunities. Because the thing is: big clients bring big security requirements.
Virtually any Fortune 100, 500 or 1000 organization is going to ask you to fill out an exceptionally rigorous security assessment document. This is also likely to be true if you’re trying to contract with one of their vendors. It’s a trickle-down effect that ensures pristine data security across their infrastructure – which makes sense. The average cost of a data breach in 2020 was $3.86 million, after all. So they can’t afford to have any rusty locks on their data’s backdoors.
Compliance Doesn’t Happen On Its Own
First, keep in mind that even if you’ve got pretty good security protocols in place, that doesn’t mean your framework is compliant. The compliance checklists are incredibly thorough. They require both a high level of technical infrastructure and extensive documentation of how standards are being met.
Unfortunately, getting a company’s security compliant isn’t just a matter of updating a document and having your team sign off. Too often, we hear people saying, “I’ll make sure my engineers know that it’s important.” Then they assume that will take care of it. A lot of really bright engineers want to code and want to solve problems. However, that doesn’t mean they’re prepared to set up the infrastructure to have it all be easily documented or scalable. And that’s where companies end up running into problems.
When confronted with a security audit, even the CTO and VP of engineering might not know where to begin filling it out. No matter how experienced or savvy your IT team is, without specific experience in security compliance standards, they’ll likely have a hard time figuring out where your company stands in relation to the expectations of a potential contract. Why? Because compliance is really complicated.
Technical Components Have to Align With Your Policies and Procedures
When it comes to meeting data security standards, audit requirements deal with both security configuration on the technical side as well as the practical implementation of policies and procedures (P&P). Oftentimes those bright and code-oriented developers will do a great job of setting up the technology to make it nice and secure. They just might end up doing it in a way that doesn’t actually match what the P&P say the company is doing.
So, it’s pretty common for companies to have their technical components in place, but then the P&P might be missing entirely. Or, they might not have the documentation arranged cohesively. Or, they might have appropriate P&P in place, but the paper trail doesn’t align with what’s actually happening. Or, the P&P might be in good shape, but the onboarding and training don’t include adequate record-keeping… you get the idea. There are a lot of areas where things might not automatically or easily line up with rigorous audit expectations.
Achieving Compliance Starts with Rigorous Analysis
Step one in achieving security compliance is getting a thorough understanding of where things stand on both the technical side and your company’s P&P. This begins with analyzing your security and application current state by checking for alignment within your P&P, then testing the technical infrastructure.
Many companies we work with are surprised to discover the misalignments and gaps in their P&P. The basic questions to ask in an initial compliance analysis are: what policies and procedures exist? Do you have the appropriate P&P to meet NIST or GDPR standards? Does policy actually match procedure? Is what you’re doing aligned with what the policies say you do? More likely than not, there will be some gaps in all of these areas.
The next step in a rigorous analysis is to check and test your technical infrastructure. First, compare your technical components with your P&P – are there any conflicts? Are the P&P sufficiently detailed when measured against your security operations? Second, run tests. Run very thorough penetration tests. Better yet, have someone outside your organization run tests and help you get clear on: can someone get into your network? How far can they get in? And what can they get into once they’re inside?
Remember Major Changes Will Yield Major Returns
Too often, companies walk away from huge opportunities because achieving compliance seems daunting. Sometimes they take one look at the requirements checklist and assume it’ll be too much work. Or, they run an analysis and get clear on just how much work it will be. But too often, they give up too soon. Yes, thorough compliance is almost always a big undertaking. But it’s also an incredibly rewarding one.
Realistically, unless your security standards are exceptional, getting your technical systems and P&P compliant will take the better part of a year. There will likely be major changes to your technology and security training, your development processes, your network configurations and the ways you document and implement your policies and procedures. Just remember that all of this can ultimately yield major ROI.
Just landing one contract with a Fortune 100 company led to multi millions of dollars in net revenue for one of our clients. It also provided them with the sales ammunition to go after other clients in the same arena – an arena they could never have entered without the security chops to get through the door.
Finally, just remember that once you get your security compliant, all that’s left is maintenance. With the right systems in place to manage your training and documentation, you’ll be locked and loaded, ready to meet any compliance checklists head on. You’ll stand out from the competition and be able to start work sooner and with greater peace of mind.