The array of compliance requirements being propagated by both government and private sector entities is dizzying. Managed compliance is an approach many modern businesses are using as a solution to keep up with all of the new requirements and adjust to changes to existing ones.
The European Union’s NIS2 regulations, the recent SEC data breach notification rule, and the ever-impending requirements under the U.S. DoD’s CMMC are all examples of an expanding regulatory framework meant to bolster corporate information security practices and protect consumer data. Building a comprehensive information security program that maps technical and process controls to existing and pending regulations has never been more critical, but companies still struggle.
Compliance is complex. Small companies often lack the full-time subject matter experts required to translate technical jargon into risk reduction and compliance controls. Large organizations, meanwhile, struggle with massive IT infrastructures and huge amounts of data.
This article dives deep into the world of information security compliance. First, we’ll examine why governments and private industry groups are expanding requirements. We’ll then spotlight a few upcoming requirements. Finally, we will review a way that organizations, both large and small, can stay current with compliance – an approach Rhymetec dubs “managed compliance” or “compliance management.”
Managed Compliance: Why Is The Regulatory Landscape Shifting?
Before we dive into how the landscape is shifting, let’s start with a more basic question – why is it shifting?
The simple answer is that the cyber threat landscape is becoming increasingly dire at the same time as geopolitical tension is increasing around the world.
Ransomware continues to plague both large enterprises and small organizations, and ransomware groups are resorting to increasingly high-stakes gambits in order to elicit payments.
These aggressive tactics were on full display in February of 2024 with the attack on Change Healthcare, which allegedly compromised terabytes of personal health data belonging to millions of consumers. The ransomware group Black Cat not only encrypted files but also threatened to publicize the information if payment was not made, resulting in an eye-popping twenty-two million dollar ransom.
Secondly, geopolitical tensions between the United States and Russia continue to remain at a post-Cold War low point. The risk of Russian, Iranian, and Chinese cyber-espionage against the U.S. technology and critical infrastructure sectors continues to remain acute, with both CISA and the U.S. FBI publishing repeated warnings that they have evidence of ongoing campaigns.
Finally, the cybercrime ecosystem itself is expanding rapidly, and the cybercrime market is booming: The global cost of cybercrime is projected to increase 15% year over year, reaching an annual $10.5 trillion USD by 2025. Market economics incentivizes threat actors to target both consumers and businesses as it pays, particularly in countries and economies with relatively weak rule of law and low median earnings.
Governments around the world, but particularly in Western Europe and the United States, are responding to these challenges with an increasing array of regulations, warnings, and executive decrees designed to incentivize companies to improve their security posture and reduce risk.
Pending Regulations & Examples of Managed Compliance in a Rapidly Changing World
There are many regulations one could cover in this article.
To illustrate our point we will focus on two salient requirements that are particularly telling of where things are moving: The EU’s NIS2 Directive and the SEC data breach notification requirement. We will also talk about recent updates to frameworks like ISO that address new risks to organizations posed by Artificial Intelligence.
The NIS2 Directive and The EU
NIS2 is an EU-wide compliance requirement that will require many EU businesses to meet increasingly stringent information security requirements. Version 2 builds on an original framework that was specifically targeted to improve the security of a narrow band of critical infrastructure companies within the European Union. NIS2 expands on both the scope and scale of NIS, mandating requirements for what will likely be the majority of EU businesses.
EU regulations work by creating a comprehensive framework at the EU level, which is then written into each EU member’s legal code by a certain date. As it stands, many organizations will be required to implement NIS2 by the fall of 2024, specifically ones that provide necessary services to the EU member states, regardless of location.
Some key changes in NIS2 include:
Executive teams and boards of directors become directly liable for compliance violations under the update. Organizations that fall under the regulation are required to implement many specific technical safeguards and are required to report serious incidents to their national Cyber Security Incident Response Teams (CSIRT). Covered organizations are also required to carefully evaluate their supply chains for risks that could result in substantial disruption.
NIS2 is novel in several respects, particularly by making boards of directors and corporate executives directly liable for non-compliance. We’ve seen a similar move to raise cyber risk to the board level in the United States, with the recent propagation of the voluntary framework NIST CSF V2.0 with the addition of the NIST governance function.
SEC Data Breach Notification Rule
The United States currently lacks a strong national cybersecurity regulation such as NIS2. However, various states and federal entities continue to add additional requirements. In 2023 the U.S. Securities and Exchange Commission published a data breach notification rule, requiring covered financial entities to publicly report a substantially adverse event within 24 hours. While this may seem relatively minor, this extends reporting requirements to thousands of publicly traded financial institutions.
The new SEC rule is illustrative of the U.S. patchwork approach to security compliance. Unlike the EU, which is adopting sweeping pan-national legislation, the U.S. instead operates under an array of state, federal, and administrative information security requirements. This can create enormous complexity for both startups and large enterprises as there are questions of jurisdiction, legal language, and mapping complex controls to a variety of requirements.
ISO 42001 and The AI Management System
The AI boom isn’t showing any signs of slowing down. Organizations all over the world are increasingly incorporating the use of AI into their operations and systems. While AI may represent exciting opportunities, a cautious approach that keeps in mind security risks is necessary, particularly as AI is increasingly incorporated into many SaaS companies.
Before implementing AI, security experts recommend that organizations consider the following factors: The projected impact on products, transparency and customer trust, contractual obligations and customer agreements, how AI processes data, and, above all – data privacy and security concerns.
Enter ISO 42001.
ISO 42001 is the first international standard for the use of Artificial Intelligence. It provides comprehensive guidance for organizations on how to establish and manage systems using AI. Similar to the updated NIST CSF framework and NIS 2 in the EU, there appears to be a stronger focus on governance in ISO 42001.
Certification with the standard includes incorporating a defensible systems management strategy specifically for AI. Under controls that address leadership, top management must show how the AIMS (AI Management System) is being used across the organization and how it aligns with the overall direction and goals of the organization.
It’s important to note here that this part of the standard emphasizes continuous improvement. To stay compliant, organizations must provide ongoing evidence that their AIMS is not only continually working as intended but that they are continually improving it to align with new uses of their systems.
Overall, ISO 42001 illustrates yet another shift in the direction of two areas:
1 ) The increasing importance of governance.
2) The sharper focus on continuous compliance rather than a “check the box” mentality of compliance.
Three Benefits of Managed Compliance
At Rhymetec, our vCISO services take the approach of continuous managed compliance.
That is, we don’t treat requirements as a fixed-in-time prescriptive list that’s checked off once it’s done. Instead, we work with our customers to continuously demonstrate affirmative compliance across multiple frameworks and requirements.
We fully manage your legal and voluntary compliance for you in a way that is guaranteed to continuously fine-tune your security posture, be defendable to auditors, and scale with your growing business. We take a multi-step process that includes:
1. Understanding Which Compliance Requirements Apply
It can be remarkably complex for small organizations (and sometimes large ones!) to even begin to understand which compliance requirements they are legally obligated to meet. For example, a large financial institution operating out of New York State may be obligated to meet cybersecurity requirements under:
- NYDFS Cybersecurity Regulation
- The EU’s General Data Protection Regulation (GDPR)
- The U.S. Gramm-Leach-Bliley Act (GLBA)
- The Payment Card Industry Data Security Standard (PCI DSS)
- SOC 2 (As required by customers)
- ISO 27001 (As required by customers)
Rhymetec works continuously with our clients to examine their current business and which existing requirements may apply to them while also keeping an eye on developing requirements in order to help our customers proactively meet legal obligations.
2. Implementing Controls Effectively: Doing Just The Right Amount
One of the benefits of working with a Managed Security Services Provider to implement a managed compliance program is that we leverage more than a century of cumulative experience across a diverse range of cybersecurity disciplines. We bring this experience to bear for clients in order to maximize the efficiency of control implications. We only implement the controls that make sense for our clients.
Fortunately for our clients (and their bank accounts!), in many cases, one security control can meet requirements under multiple frameworks and regulations. For example, the control “employee training” can be tailored to meet requirements under both SOC 2 and HIPAA.
When architected properly, an information security program should be able to meet a large number of requirements with a small number of controls. Effective compliance programs serve as business enablers, allowing the business to work in confidence that they have substantially reduced breach risk and are meeting relevant regulatory requirements.
Bonus Tip For Startups:
As your organization matures, you will likely be asked to meet an increasing number of both legal and voluntary requirements such as SOC 2, NIS2, GDPR, CCPA, FedRAMP, and others. Rhymetec works to understand our client’s business so that we can advise you to be as efficient as possible when implementing compliance frameworks the first time, resulting in cost savings down the road.
For example, if you know you will be selling to the federal government in 2025, we can architect your program to begin meeting and documenting FedRAMP requirements early.
3. Continuous Review
Security is not a fixed point in time activity.
A well-managed compliance program should involve continuous review of the organization’s security controls to ensure they are being effectively met and that processes are properly implemented. Many organizations that attempt to meet compliance themselves follow a similar pattern:
- An organizational leader is tasked with meeting a common compliance requirement or framework, often SOC 2 or ISO 27001 (more often than not because a prospect has asked for it).
- They spend several weeks building documentation, paperwork, and processes to demonstrate compliance.
- They implement many required technical controls.
- But, by the time the auditor comes, many of the processes have been discarded in favor of efficiency and many of the technical controls have lapsed, resulting in a poor showing on the compliance audit.
At Rhymetec, we take the opposite approach:
Controls are only as effective as their implementation and processes are only as good as the adherence to them is. We work with our clients to ensure that security policies aren’t just documents that sit on a shelf collecting dust but are core business documents that form the basis for how the organization does business.
Knowing you’ve outsourced the complexity of all of this and have a team continuously taking care of your legal and voluntary requirements provides peace of mind. That’s one of the key benefits of managed compliance that companies report.
Rhymetec’s Method for Accelerating and Managing Compliance
Our team has worked with hundreds of clients across different industries. We are equipped with the expertise to conduct a thorough gap analysis at the beginning of the engagement to identify areas of improvement. Our team works with you to craft a roadmap tailored to your individual security needs and the compliance requirements relevant to your industry.
We leverage the latest technology, such as compliance automation tools, to streamline documentation of your security policies, collect evidence for audits, and more. We offer expert phishing testing services, internal audits, and penetration testing services (including mobile application penetration testing and web application penetration testing) that are guaranteed to meet security controls.
Finally, our team of experts continuously reviews and updates existing controls, evaluates your information security program throughout phases of growth, and stays up to date with the latest changes in the industry or with compliance standards to help you prevent gaps in compliance—providing an effective compliance maintenance program.
About the Author: Justin Rende, CEO
Justin Rende has been providing comprehensive and customizable technology solutions around the globe since 2001. In 2015 he founded Rhymetec with the mission to reduce the complexities of cloud security and make cutting-edge cybersecurity services available to SaaS-based startups. Under Justin’s leadership, Rhymetec has redesigned infosec and data privacy compliance management programs for the modern SaaS-based company and established itself as a leader in cloud security services.