Don't miss

3 Tips To Reduce Cybersecurity Compliance Costs

Cybersecurity Cots

By Jerrod Montoya

Cybersecurity compliance costs companies millions of dollars per year. Here, Jerrod Montoya, security and compliance counsel with Open Access Technology International and an adjunct affiliated professor in Mitchell Hamline School of Law’s online certificate program in cybersecurity and privacy law, offers three tips to help you manage cost and avoid some troublesome aspects in the current compliance landscape.

Three big industries facing cybersecurity regulation today are finance, energy and health care. Many unregulated vendors serving the regulated industries voluntarily comply with certain standards for the benefit of their customers. For example, Google’s and Amazon’s cloud services both undergo several annual audits. Neither Google nor Amazon is required to undergo, say, a SOC 2 or FedRAMP audit, but both do.

While provided as familiar examples, Google and Amazon are really outliers. According to the Small Business Administration, small businesses make up more than 99 percent of the United States economy. These smaller companies simply cannot compete on the same level as Google and Amazon, but the unregulated small businesses serving a regulated industry must find a way to remain competitive despite hefty compliance costs. This is where two troublesome cybersecurity best practices come into play.

The first troublesome area is right-to-audit provisions in contracts. A right-to-audit clause is used by companies to preserve the right to conduct an audit of the vendor at any time at least once annually. The company contracting the service is usually nice enough to bear the cost of the audit. Nevertheless, the right-to-audit provision can spell doom for a small business.

For the sake of argument, let’s assume five companies decide to invoke their right to audit a small or even mid-sized business. This would mean that five separate companies send their own auditor to audit one small or mid-sized business. This is a recipe for disaster, especially if the company being audited already has its own annual audits to worry about. Unlike Google or Amazon, a small or mid-sized business would not likely absorb these five audits well.

Another troublesome trend in the security world is the security questionnaire. While not new, the use of security questionnaires saw an uptick in usage following the now infamous Target data breach, which involved a downstream vendor vulnerability that was exploited to infect Target’s point-of-sale machines with malware. The Target breach shined a bright spotlight on supply chain security, and the security questionnaire has grown in popularity ever since.

Security questionnaires typically come in an Excel spreadsheet that a vendor must fill out and return to the requesting company. The number of questions in these questionnaires ranges from 10-20 to more than a thousand! Both creating and answering these questionnaires can be a tremendous drain on company resources.

Rather than expending time, money and resources on right-to-audit and security questionnaires, companies should follow these three tips:

1 – Do cybersecurity first
First and foremost, implement good risk-based security measures based on your company’s unique position. By choosing cybersecurity first, a company is not driven by a cybersecurity standard. Rather, standards become chosen to speak for what is already implemented.

2 – Choose NIST
The National Institute of Standards and Technology (NIST) is the government’s go-to standards body. President Obama tasked NIST to develop a common cybersecurity framework for the public and private sectors to use, which has since been codified into law. Although designed for government use, these standards are heavily relied upon by the private sector and also enjoy worldwide recognition. The best part is that the standards are free.

3 – Trust the audit report
Done right, an audit report replaces both the right-to-audit provisions and security questionnaires. Follow the tip above and contract for a NIST audit report. This will create a common language for all to use, and a single report can save both parties a lot of time and effort.