Four Ways a Compliance Audit Can Inform Your Strategy as a New CISO
As a CISO new to your organization, or new to the CISO role, your first internal or external audit brings a unique opportunity to uncover valuable insights. Here are four ideas for how to approach your first audit so that it’s successful but also so you can maximize its strategic value to the rest of your data security program and plans.
Previous Compliance Audit Report Provides Valuable Clues
In your first week, were you directed to a stack or a folder where the organization’s last audit reports are housed? Did you get excited at the wealth of information hidden there or did you put those resources to the back of your mind? While everyone wants the CISO to be more strategic and visionary, industry and regulatory audit results provide details to inform your initial focus for creating a more defensible security program.
Security Compliance Beyond Check the Box
It’s a typical mantra for a cybersecurity consulting firm to profess the value of “good compliance hygiene” and the value of basic cybersecurity. For a new CISO, however, reviewing the last audit and discussing it with leadership can reveal the organization’s culture when it comes to data security.
- How does the c-suite and board view your role and responsibility around compliance?
- Did the organization secure outside help for audit prep last time?
- Were compliance maintenance activities planned in advance and throughout the year or was it a mad dash to the finish line?
- Did cross-functional teams work well with the CISO’s office to prepare?
- Did they communicate effectively and were they responsive to each other?
- Is there a blame game going on as a result of the last compliance audits?
Questions like these reveal a posture and give a sense of how much support could be available for your first audit, and how you should approach leadership, your team, and socializing your plans.
Leverage Audit Reports Before Completing Host of Assessments
Gartner’s report, “The CISO’s Guide to Your First 100 Days” suggests that a new CISO perform seven core assessments in their first 100 days, including physical security, business continuity and disaster recovery, privacy, and compliance. In our CyberLean approach, we would recommend using your last compliance audit as a good foundation before launching into a host of assessments.
From this exercise, you will get a picture of strengths, possible weaknesses, and areas for improvement.
- How is it to access or inventory information sources, existing policies, technology plans, and security metrics?
- How mature does the program appear from your review of recent audits?
- Is the team good at day-to-day security operations but struggling with demonstrating compliance?
- Is the employee constituency as a whole strong in understanding compliance-related duties and rules or are there a lot of holes in knowledge and practice?
Greater Compliance & Cybersecurity Maturity Reduces Data Breach Risk
Your organization may be required, or choose, to participate in a variety of IT or security audits, including HIPAA, PCI-DSS, SOC 2, GDPR, and HITRUST CSF for example. In healthcare, the HITRUST Common Security Framework (CSF) was designed as a unified schema to streamline the process of achieving and proving compliance. Their maturity model is based on the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) model, which was developed by NIST.
A 2019 report published by HITRUST included an analysis of assessment data from the last decade, indicating that organizations using the HITRUST CSF to achieve higher maturity were less likely to experience a data breach. Additionally, more mature data security programs are better equipped to contain and mitigate the damage if an attack occurs. Their report showed that the HITRUST CSF control maturity scoring is a “valid method of evaluating and predicting ongoing control effectiveness and residual information risk.”
This further confirms the value of compliance to the organization’s overall cybersecurity maturity and data security protection.
Healthcare Compliance Isn’t Just About Providers and Payers Anymore
What is PHI and is Your Business Responsible for its Security?
Tackle Your Cybersecurity Priorities with the Right Support
As a new CISO, there is a lot on your plate. As you review compliance documentation and create your initial assessment plan and audit prep calendar, we’re here to help. Whether you need some interim CISO project help or would like to bring in a fresh auditor, our team has the experience and the approach to bring greater resiliency for your budget.