Busting compliance myths

In this interview for Help Net Security, Troy Fine, Senior Manager of Cybersecurity Risk Management at Drata, talks about the challenges of data compliance and what companies must do to achieve it.

Compliance has been an important factor for all businesses for quite some time now. What are the hurdles most companies have to overcome to be fully compliant?

As the digital world becomes increasingly interconnected, data privacy and building customer trust has become a key priority for businesses. Getting started can be a significant hurdle, but prioritizing compliance from an early stage can help businesses avoid issues further down the road. Complying with data privacy standards has historically been a complicated, expensive, and time-intensive process (e.g. screenshots and spreadsheets).

The complexity and variety of today’s privacy frameworks, standards, and regulations, including SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, CCPA, and others, certainly add to the confusion. Understanding and implementing these standards without the proper tools and staff can be costly and labor-intensive, and common misunderstandings about compliance can also slow the process. Companies sometimes view compliance as a one-time exercise to check a box and achieve a certification. However, companies are now learning that continuous compliance monitoring not only saves them time and money but also strengthens their overall risk management strategy.

How important is in-house expertise for a good company-auditor relationship and why?

Most companies, especially small and mid-size businesses, don’t have the budget for staff solely dedicated to compliance. This lack of in-house compliance experience and expertise often prompts companies to turn to third-party solutions to streamline the compliance process and act as a liaison with their auditors.

In short, in-house expertise is not needed for a good company-auditor relationship. What’s needed is the ability to establish trust and transparency with your auditor. Fortunately, third-party tools can not only make the auditor’s work easier by providing comprehensive and streamlined information, but allow the companies themselves to go into their audits with the confidence that there will be no unpleasant surprises.

What are the most common compliance myths?

Some of the most common compliance myths stem from misnomers and confusing or conflated terminology. Take, for instance, the terms “security” and “compliance”, which are interconnected but not interchangeable. Misunderstandings about what falls under compliance and what each compliance standard entails can cause serious confusion.

SOC 2 compliance is a great example. People are constantly saying they have a SOC 2 “certification,” but that’s incorrect. SOC 2 isn’t a certification, but rather an attestation report that provides a security snapshot for a given moment in time or over a period of time.

Another common myth is around control mapping documents, which most people see as the easy way to achieve compliance. In reality, mapping generally doesn’t make it clear which controls are actually being implemented, and can create the impression that compliance standards have been met when they actually have not.

Is compliance customization a must or does one-size-fits-all work as well?

In general, a one-size-fits-all approach doesn’t take into account the unique risks individual companies face. Companies across all industries have complex security and compliance needs, and while most start from the same general place, a mature compliance program will have more tailored controls.

Streamlining the different compliance requirements across different solutions within one organization is something tailored compliance tools can help with, in ways that include taking advantage of any completed, overlapping work. Fine tuning security postures, frameworks, audits, policies, and attestations ensures a company’s compliance program meets the specific requirements of each environment better than a “one-size-fits-all” approach possibly could.

How do you see compliance evolving in the future?

In the US, we can expect states with active privacy regulations to dramatically increase their enforcement of these regulations. California will lead the way, but Utah, Colorado, Virginia, and Connecticut will also play a role as new privacy regulations continue to emerge and enter enforcement.

At a higher level, companies – especially in the retail and tech space – will see increased financial penalties if they are noncompliant. This crackdown on enforcing compliance has already started and we’ve started to see not only organizations but individual executives face the penalties.

In general, compliance is evolving to become continuous and more automated. A growing number of companies are now recognizing that compliance monitoring is not a one-time process for audits but an ongoing part of a comprehensive risk management strategy. Compliance is still sometimes seen as a box to check, but in the future the foundational trust that compliance establishes will play a larger role in building stronger customer relationships and faster business growth.