GRC Viewpoint

The Need for Evidence: Ensuring Effective Cybersecurity as Regulations and Requirements Evolve

Most everyone will agree that the digital threat landscape is constantly changing, and there is a need for all organizations to improve their defenses in response to that. If you don’t agree with that, just spend a few minutes with your favorite search engine or news program. I’m confident you’ll come to a similar conclusion. However, even with that understanding, many business owners take a “checklist” approach to their cybersecurity program. Or worse, they will do only the bare minimum that is required by their commitments.

In response to the growing threat landscape, regulatory bodies have introduced stringent cybersecurity standards, such as the Cybersecurity Maturity Model Certification (CMMC), new Securities and Exchange Commission (SEC) requirements, and regulations in states like New York. While compliance with these regulations is crucial, the need for evidence of an organization’s cybersecurity posture extends beyond mere regulatory adherence. It is about ensuring the tangible effectiveness of cybersecurity measures and safeguarding against potential threats in the real world.

One of the most significant developments in recent years is the implementation of the Cybersecurity Maturity Model Certification (CMMC) by the United States Department of Defense (DoD). CMMC is now entering the final stages of the rule making process, and everyone should be paying attention, whether you are a defense contractor or not. Most defense contracts have had the DFARS 7012 clause for years. In short, this clause requires a self-attestation that the contractor has implemented the NIST 800-171A guidelines. The reality was that no one was actually doing what they said. So the DoD created CMMC to enhance the cybersecurity posture of defense contractors and subcontractors. While achieving compliance with CMMC will be mandatory for DoD contractors, the underlying principle is the importance of evidence-based cybersecurity practices. Organizations must not only claim compliance but also provide tangible evidence of their adherence to cybersecurity standards through documentation, audits, and assessments. I hear from some defense contractors that are surprised about these “new” requirements. These aren’t new. The DoD is just now saying, show me the proof. And by the way, a third-party will be doing the checking.

Similarly, the Securities and Exchange Commission (SEC) has been proactive in addressing cybersecurity risks within the financial industry. Recent SEC requirements compel publicly traded companies to disclose cybersecurity incidents promptly and provide transparency regarding their cybersecurity risk management practices. These regulations not only emphasize the need for robust cybersecurity measures but also the importance of verification in demonstrating compliance. Organizations must provide evidence of their cybersecurity protocols, incident response plans, and ongoing risk assessments.

Beyond federal regulations, states like New York have taken proactive measures to strengthen cybersecurity within their jurisdictions. The New York State Department of Financial Services (NYDFS) introduced the Cybersecurity Regulation (23 NYCRR 500), which mandates financial institutions, including banks, insurance companies, and other financial services firms, to implement comprehensive cybersecurity programs. While compliance with the NYDFS regulation is necessary for organizations operating in New York, the broader message resonates with all industries: evidence-based cybersecurity practices are imperative for safeguarding sensitive data and mitigating cyber risks.

Documentation serves as a tangible record of an organization’s cybersecurity posture. It includes policies, procedures, risk assessments, incident response plans, and evidence of compliance with regulatory requirements. Regular audits and assessments validate the effectiveness of cybersecurity controls and identify areas for improvement. Evidence of compliance not only satisfies regulatory mandates but also instills confidence among stakeholders, including customers, partners, and investors.

The common thread among these regulatory initiatives is the emphasis on governance, specifically validating cybersecurity practices. Merely claiming compliance with regulations is no longer sufficient. We all need to move beyond a “checklist” mindset. Checklists are helpful to ensure proper implementation. However, once that checklist goes into a drawer, it becomes useless in determining whether the “real life” matches what the policy or procedure stated.

While it may seem burdensome for small businesses to invest time and resources into cybersecurity compliance, the reality is that the winds of change are blowing in this direction. Evidence suggests that many other governing bodies and industries are increasingly moving towards stricter cybersecurity regulations, with an emphasis on the evidence of compliance.

In conclusion, the need for evidence of compliance with cybersecurity standards transcends regulatory requirements. While regulations like CMMC, SEC requirements, and New York State regulations set the baseline for cybersecurity practices, organizations must go beyond mere compliance and validate the real-life state of their cybersecurity measures. Governance, including robust documentation and evidence of compliance, is critical in protecting organizations against cyber threats and safeguarding sensitive data. By embracing evidence-based cybersecurity practices, organizations can enhance their resilience, mitigate risks, and build trust in an increasingly digital world.

You may want to push back against big brother. Or you may be thankful the external pressures for compliance haven’t reached your organization yet. I urge you to resist that temptation, and consider what’s best for your organization. We should all follow their lead and make sure our cybersecurity protections are truly doing what we said they were.


By Steven Lauber CEO Trailhead Networks

Related Articles

Latest Articles