It’s a Team Sport: Security and Compliance

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Robin Tatam of Puppet by Perforce coaches us how to approach security and compliance as a team sport. Like a team sport, everyone needs to be involved.

In an ideal world, the developers’ environment is already secure and compliant when they begin to work. However, the ideal world isn’t always reality. This is why it is imperative that organizations protect their data and proprietary materials, especially as research shows that damage from cyber-attacks could result in an annual loss of $10.5 trillion by 2025.

As companies grapple with the Securities and Exchange Commission’s (SEC) newly adopted cybersecurity disclosure rules, security and compliance must become a top priority for not just the security team, but for the entire IT operations team. To be flexible and agile in this new disclosure era, teams cannot operate in a siloed environment – they must embrace the fact that to satisfy today’s security standards and compliance regulations, an entire organization needs to be behind this effort. Today, security and compliance must be seen as a team sport with shared responsibilities across multiple facets of the company.

It’s a Team Sport: Security and Compliance

Playing by the SEC’s Rules

In July, the SEC adopted new cybersecurity rules for public companies, requiring businesses to disclose a material incident within four business days from the time the organization determines it occurred. These new rules are meant to enhance and standardize the way companies report cybersecurity risk management strategies. Besides the four-day disclosure rule, U.S.-based companies must also comply with new incident reporting and governance disclosure requirements, including filing Form 8-K or Form 6-K, depending on the incident at hand. These requirements are more detailed than the guidance that the SEC previously issued in 2011 and 2018.

When a company experiences a cyber-attack, it is crucial to manage the risk by moving swiftly to contain the event and return to a secure environment. However, four days is a short amount of time once a company has ascertained an incident is material to then disclose it through the proper forms, while likely still actively engaged in mitigation. This new timeframe highlights the need for companies to have a carefully crafted and pressure-tested response plan in place beforehand, instead of scrambling to create one after they’ve fallen victim to a cyber-attack.

Adopting the “Team Sport” Mentality

It can be easy to assume that compliance is the responsibility of one person (or one specific role) within an organization, meaning that each team stays in their respective lanes to complete their jobs. However, today’s fast-paced IT environment is plagued by cyberthreats that continue to grow in both volume and sophistication. Therefore, the IT operations team must now be just as much a part of the security and compliance discussion as the security team. By reducing the amount of time to identify and report an incident down to only 96 hours, the SEC is clearly suggesting that everyone must work as a team. Agility and flexibility are necessary to meet the tightened timeframe. Additionally, incorporating responsibilities for both IT operations and security teams means being able to establish an order of operations to follow once they find a security breach. By having the chain of command pre-planned, each team knows their role and wasted time is eliminated. Implementing a “team sport” mentality is paramount as organizations move forward in the new world of security and compliance disclosure.

Building a Response Plan

Having an incident response plan (IRP) for security and compliance incidents was a best practice prior to the SEC’s new four-day disclosure requirement. Now that the window to report is narrower than ever, it is of the utmost importance that teams not only have a response plan in place, but that all of the responsible individuals in the organization know the details of the plan.

An IRP must clearly identify responsibilities and should be shared across teams to facilitate efficiency and an enhanced sense of preparedness. A team mindset encourages more effective communication when an incident does take place, thereby reducing time-sapping confusion on what next steps should look like. If responsibilities for reporting incidents fall on one individual, an organization leaves themselves vulnerable should that individual leave the company. In today’s volatile job market, everyone across an organization’s team should have access to the same knowledge base on maintaining security and compliance in the event of employee turnover. New team members must be trained as well, further solidifying the team mentality.

Continuous Course Correction

The SEC has also enacted periodic disclosure requirements to verify an organization’s processes for assessment, identification, and management of cybersecurity risk. This aligns with experts’ recommendations that policy be established using best practice security frameworks and standards, such as those published by The Center for Internet Security (CIS). Once deployed, servers should be frequently and repeatedly re-evaluated and course corrected to assure that settings, patches, and other configuration elements remain consistent with policy expectations. A security or audit department may ultimately have responsibility for signing off regarding compliance, but IT departments should contribute by enacting solutions that can correct drift between formal audits.

To paint a picture, consider two ships sailing independently across the world, one that makes course corrections only every few weeks and one that course corrects continuously. The first boat makes wild—and potentially catastrophic—course deviations. The second sails in a near-straight line, with the skipper having to validate only that the course correction system is working effectively and to sign off on the ship’s location. In IT, the operations team can automatically mitigate configuration drift, leaving the security department responsible for setting policy and occasionally auditing that the processes are working.

Despite organizations’ best efforts, cyber criminals are always two steps ahead. Therefore, catching the incident as soon as it happens and reporting it in a timely manner is a potential gamechanger for cybersecurity management. As long as company departments work cohesively as a team and have an actionable response plan in place when an incident occurs, they can handle the SEC’s new disclosure rules with ease.