How To Get Compliant and Stay AgilePublished January 17, 2019 by Karen Walsh • 5 min read
Agile companies do things faster. When you think about agile regarding the lean startup model, you focus on quick wins, ruthless prioritization, external focus, and continuous improvement. At its core, agile development relies on continuous testing leading to continuous improvement. In cybersecurity, continuous monitoring enables an agile continuous compliance stance.
Agile Compliance Management
What are the lean-agile development methods?
Lean development means a set of principles designed to
- Eliminate waste
- Build in quality
- Create knowledge
- Defer commitment
- Deliver fast results
- Respect people
- Optimize the whole.
By eliminating inefficient processes, companies deliver software faster.
Agile development expanded on lean development, establishing twelve principles:
- Customer satisfaction
- Harnessing change for a competitive advantage
- Delivering working software frequently
- Bringing business and development departments together
- Supporting talent
- Conveying information efficiently
- Measuring progress by working software
- Promoting sustainable development
- Focusing on technical excellence
- Maximizing the amount of work not done
- Using a self-organizing team to build the best architectures, requirements, and designs
- Reflecting and readjusting
At their core, both methods focus on efficiency, communication, sustainability, speed, and quality.
How Agile applies to cybersecurity
Agile methods, by focusing on harnessing change, reflection, and readjustment, aligns well to cybersecurity. At their core, malicious actors are agile development superstars. They continuously readjust their attack methodologies to maintain the “quality” of their software, ensuring that they can stay one step ahead of cybersecurity protections.
Thus, for organizations to combat these threats, they need to create a security-first approach that functions the same way. As the old saying goes, if you can’t beat them join them.
What is agile compliance?
Agile compliance focuses on the same 12 principles, but rather than focusing on product creation, it focuses on threat mitigation. However, rather than customer satisfaction being the starting point, agile compliance from a security-first perspective treats customer data security and stakeholder satisfaction as the product.
When looking at governance, risk, and compliance (GRC) in cybersecurity, data integrity and availability acts as the path to customer confidence and satisfaction. With a security-first approach to compliance, you create an iterative process with monitoring, mitigation, and review that aligns your controls to protect your data.
Agile Compliance in Cybersecurity
A security-first strategy for protecting data leads to creating an agile compliance program. Security-first compliance focuses on the quality of your data controls ensuring that even when standards and regulations lag behind threat vectors and methodologies, you maintain a secure data environment.
Bringing business and IT departments together
Risk management begins with aligning business objectives to your IT assets. As your business scales, you need to ensure that your cybersecurity program can withstand the growth without being compromised. Therefore, you need to start by looking at the current technologies that enable business and determine whether you need more and can effectively mitigate the risks of additional vendors.
Using self-organizing teams to build your compliance program
Once you’ve aligned your business objectives to your IT department, you need to bring in leaders from across all departments. Every business unit uses supporting technologies, from Software-as-a-Service (SaaS) platforms to department-specific software. An effective compliance program requires you to create an inter-department team to review digital assets and the data they store, transmit, and process, they gain a holistic view of all software, systems, and networks.
In agile compliance, supporting talent means understanding that everyone in the organization is responsible for cybersecurity. By creating a cyber aware culture wherein all employees understand how their work relates to the organization’s cybersecurity, you can maintain a more robust information security profile.
Focusing on technical excellence
Your CISO, CIO, and IT departments know how to protect your environment. They possess the technical skills to ensure continued control effectiveness. However, you need to provide them with the appropriate tools to enable their work.
Promoting sustainable organizational development
You want your business to grow. To do that, you need to bring in more business partners. Increasingly, organizations are adding more SaaS systems and migrating data to the cloud to ease the strain on their business processes. Sustainable organizational development, therefore, requires you to create a vendor risk management program that allows you to scale your business while maintaining a secure data ecosystem.
Measuring security by working controls
You need to translate key performance indicators (KPIs) into the language of business to enable a more robust compliance program. For example, a low percentage of critical systems lacking security patches means you’re maintaining working controls. Similarly, if you have a high percentage of network devices that meet configuration standards, you’re keeping your information secure.
Harnessing change for a competitive cybersecurity advantage
One malware or ransomware infected employee device can change your entire organization’s security profile in the blink of an eye. You need to be willing to seek out new tools to continuously monitor your systems, networks, and software for vulnerabilities. New tools that provide real-time visibility into the evolving threat landscape can help mitigate risks and protect data.
Delivering remediation solutions rapidly
Whether it’s a weak control or a data event, you need to be able to secure your information rapidly. According to Ponemon’s 2018 Cost of a Data Breach Report, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) increased from 2017 to 2018. Additionally, the longer it took to identify and contain the data breach, the more the breach cost. Deploying security automation tools, and harnessing changing technology, lowered those costs by decreasing the MTTI and MTTC.
Reflecting and readjusting
Everyone knows that data events are no longer an “if” but a “when.” You need a process that allows you to reflect upon the breach’s cause and readjust. To engage in this process, you need an audit trail that enables your organizational review. If you need to change how you protect your data, you need to know the location of the weak control.
Conveying information efficiently
You need to be able to share information between departments. All internal and external stakeholders need to be able to share information openly and efficiently. When managing a compliance program, your c-suite, CISO, CIO, department heads, and auditors need access to information necessary to carry out their jobs. Thus, you need a single source of information that allows you to track communications and manage documentation.
Maximizing the amount of work not done
With digital tools, you can automate mundane tasks. Finding tools that incorporate workflow management and document sharing can help you maximize the amount of work not done. If you can assign tasks and automate the task management process, you can save time and do less “work” in the long term.
When it comes to data, all stakeholders need to be satisfied, not just customers. Customers need to trust that you protect their data. The c-suite and Board of Directors need to be confident that they understand the risks and mitigation strategies that protect data. Internal and external auditors need to be satisfied that you have met all industry standards and regulatory compliance requirements.
How ZenGRC Enable Agile Compliance
ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.