This was originally published by ISACA in August 2023.
Information security and compliance operate in silos at some organizations, but greater collaboration between the functions reduces security risk and boosts compliance. Collaboration shifts these functions from cost centers into true business enablers, but how can information security and compliance work interdependently to deliver efficiency and value?
- Information Security leaders ask: How do I make sure compliance is not just a check-the-box exercise?
- Compliance leaders ask: How can we align with information security strategic plans and roadmaps to ensure compliance gaps get addressed?
- Leaders of both functions ask: What opportunities to collaborate do we have that will benefit the organization as a whole?
We draw from our own experiences as Vice President of Information Security and Director of Security Compliance at AuditBoard to discuss what each of our functions contributes and how our teams work together to ensure strategic alignment.
Partnership Opportunities to Add Value
We’ve found our compliance and information security functions add more value together. In fact, a natural driver for partnership may be promoted by the security framework standard itself. For example, our information security program is based on both International Standards Organization (ISO) and National Institute of (NIST) frameworks. ISO’s framework in particular emphasizes accountability across the organization, which facilitates partnership opportunities. Through a variety of efforts, we collaborate to add more value, which demonstrates that neither compliance nor information security are merely cost centers. Here are two examples:
- Working together to build business cases and budget: Compliance can help identify justification for security investment in customer contracts or compliance frameworks that enable revenue — making security more than a cost center. As we’ve grown, we’ve acquired more customers with elevated regulatory requirements governed by international regulations. Compliance and information security work together to navigate overlapping regulations from multiple jurisdictions to simultaneously meet new customer requirements and implement new security controls that benefit all customers.
- Developing security initiatives to reduce risk: The information security team may have the best view of likely threats facing the business, but compliance can contribute the “industry standards” and best practices for implementing controls that customers and regulators expect to be put in place to mitigate those threats. In this way, compliance can serve in a product manager role, helping refine product security requirements. Compliance and information security work together to identify the best controls to reduce risk.
- Connecting Data for Comprehensive Visibility: There are many information security functions and controls that require a comprehensive view of organizational assets to be effective: vulnerability management, endpoint monitoring, zero trust access control, and many more. Compliance has a similar need for comprehensive visibility during assessment scoping. There is no easier way to fail an audit than when rogue assets are found without any security controls. As a result, compliance and information security have a great opportunity to partner and combine information about the universe of assets you are responsible for securing to align on risk prioritization.
- Governance and Risk Management Leverage: Depending on organizational structure, information security and compliance teams may not always have the leverage to consistently or effectively influence risk-aware decision-making. Compliance teams can benefit from the authority held by the CISO in policymaking or enforcing accountability for risk acceptance to increase their influence. Compliance teams tend to have closer partnerships in the business, and the information security team’s influence can be similarly increased by leveraging the compliance team’s typically strong relationships with legal, finance, and procurement.
Compliance and Information Security in Collaboration
When information security and compliance functions collaborate, the entire enterprise benefits. Common opportunities for collaboration include prioritizing controls, conducting risk assessments, and quantifying risk.
- Prioritizing controls: With strong relationships throughout the business, compliance is in a position to create a single source of truth for a variety of records, such as assets, people, and data. Once established, that source of truth provides information security with the means to prioritize and apply security controls.
- Conducting Risk Assessments: Many security frameworks indicate risk assessments. Technology assets are certainly a part of those. With the ISO framework, for instance, compliance initiates the risk assessment. Information security can assign risks to critical assets in a structured IT risk management (ITRM) process. ITRM makes it possible to understand the asset landscape comprehensively, so it becomes straightforward to identify areas of high risk.
- Quantifying Risk: We see a movement from older, “impact versus likelihood” risk assessment approaches toward modern, quantitative risk assessments. Information security can provide historical incident data that informs calculations of risk likelihood and supports issue management by pinpointing control failures stemming from each incident.
Facilitating Collaboration for Risk-Informed Decision-Making
There is a tremendous opportunity for information security and compliance to work together to reduce security risks and boost compliance efforts. Close collaboration between compliance and information security can be further facilitated with compliance management technology to simplify working together on evidence collection, gap analysis, and issue remediation. In environments with multiple security frameworks, both teams can greatly benefit from real-time visibility into frameworks and control assessments. By adopting processes that foster collaboration, these functions can transform themselves from cost centers into true business enablers.
Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.
John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.