Don't Let Complex Security Regulations Overwhelm You
Ivan Gil, Senior Information Security Consultant at ePlus, shares his insight on tackling a complex regulatory landscape while enhancing your security posture through virtual CISO services.
Security continues to be a top priority in business due in part to its complex nature and the ever-increasing number and sophistication of the threat. With the expansion of our digital footprint and shortage of security talent, we are continuously at the mercy of the attacker.
According to Gil, there are several reasons for this, including the growing cybersecurity skills shortage which has increased 26% in 20221 and continues to grow.
Other reasons include executive and board members becoming more aware of the financial damage data breaches can cause.
In 2022 the average cost of a data breach in the U.S. was $9.44 million2 —and the cost to insure against them is increasing year on year.
“Boards now realize the impact a cyber breach can have on an organization,” Gil said, “and they want to make sure they are meeting their requirements…whatever those requirements are. On top of that, cyber insurance carriers are becoming more demanding, requiring organizations to meet certain mandates before they will insure them.”
Mandates vary by industry, but every organization must be cognizant of which mandates apply to them and implement policies to ensure compliance. For many organizations, however, the sheer complexity of the regulatory landscape can be overwhelming.
“Many [organizations] just don’t know what the requirements are,” Gil said. “It’s not that they are blatantly disregarding the regulations. In many cases, they just aren’t aware of them.”
This is the responsibility of the Chief Information Security Officer. CISOs are security experts who understand security frameworks, risk, governance, and compliance and are adept at assessing security needs and implementing security programs.
A significant issue is the shortage of qualified CISOs in the marketplace. For many companies, hiring a full-time person for the job is unaffordable, even if a qualified person could be found.
This is one area, Gil said, where virtual CISO services from ePlus can help.
“ePlus has security experts who have the skills and experience to do the CISO job,” he said. “We can step in and fill that role for customers, and for many of them, we do.”
Moving Forward with Confidence
Gil added that the breadth of business, technical, and process resources available at ePlus enhances ePlus’ services capabilities. This makes ePlus different from other companies and gives customers confidence that their security programs will be implemented and managed successfully.
The ePlus approach begins with a risk assessment. From there, a customized roadmap is developed, based on the organization’s current security posture and regulatory requirements, and then a full implementation. This can encompass a broad scope of activities: controls validation testing, policy and procedure reviews, vulnerability and patch management and penetration testing, security gap analysis, 3rd party risk management, and more.
Gil said, “Once a framework is in place, then we can drill down to establish the strategic activities organizations need to accomplish, like creating a business impact analysis, disaster recovery plans, business continuity plan, third-party risk assessments, and data governance programs.”
“Ultimately,” he said, “it’s the responsibility of the CISO to lead the organization down the right path to ensure its security needs are being met.“ The CISO should know what to do and how to do it and have access to the resources necessary to get it done. At ePlus, we have both. We have industry experts who understand the regulations and frameworks—HIPAA, HITECH, PCI-DSS, FERPA, GLBA/FD/FFIEC, FISMA, NIST, CMMC—you name it.
We help our customers not only implement an information security program but also integrate security into their business strategy, processes, and culture.”
Industry experts agree that cybersecurity is a moving target, with new threats emerging nearly every day and regulatory requirements evolving to combat them. This is why risk, governance, and compliance will continue to be a top priority for every organization.
To get more information on how ePlus can help you implement an information security program that is right for your organization, take a look at our Consulting and Compliance and vCISO services.
References:
1. (ISC)2 2022 Cybersecurity Workforce Study
2. IBM Cost of a Data Breach Report 2022