A little commentary on cybersecurity compliance from a cybersecurity professional
During a recent commercial break on the news, there were several advertisements for new pharmaceuticals that addressed everything from lowering blood pressure to diabetes. The one thing that each commercial had in common was that each drug still required healthy eating and exercise to be effective. The advertisers carefully added that their medicine will only work properly if the patient adopts a healthy lifestyle, in conjunction with taking their product. This concept of fighting disease with a blend of adopting a healthy lifestyle and the appropriate pharmaceutical is an important concept, since there is no “magic pill” in cybersecurity, just as that does not exist in medicine.
We receive several calls a week hoping for a magic pill that our products will immediately solve their problems and make them compliant without doing anything else for topics such as DFARS 252.204-7012 (NIST 800-171). While it would be great to say “yes” to that question, the reality is that EVERY statutory, regulatory and contractual cybersecurity requirement takes some effort to get to the point where a company can be compliant, even when buying our products. This applies to NIST 800-171, EU GDPR, PCI DSS, NY DFS and others. That is where it gets to the point of “adopting a healthy lifestyle and eating right” to get the full effect of medicine – our clients need to implement the products and adopt secure practices to get the full effect of our solutions.
The next question comes down to “how much time will it take and how much will it cost to really become compliant?” This goes back to the concept of healthy eating and regular exercise for a drug to be effective – if a diabetes/high cholesterol patient is starting off at 600lbs and needs to get down to a target weight of about 175lbs then there is a lot of time and effort needed to reach that goal. On the contrary, if the starting point is at 225lbs there is far less work involved to reach that goal. The same concept applies to reaching a cybersecurity compliance goal. If you are totally out of shape and have no security culture, it will take you longer to reach a reasonable state of compliance than if you are already on that path to establishing a secure culture within your organization. We're giving you the tools to be compliant, but you still have to implement it.
The point to this is to have realistic expectations. Can you lower your blood sugar and cholesterol without taking drugs from a major pharmaceutical? Yes. Can you build your own cybersecurity documentation without what ComplianceForge sells? Yes. In those situations, you would just have to do the heavy lifting entirely on your own. Just like the pharmaceutical companies provide solutions to help make their clients healthy in a short time frame, our solutions are meant to make the process of becoming compliant easier and less painful.
Want to get compliant? Give us a call. We can help get you on the path to compliance with NIST 800-171 since it is coming up quick with a December 31, 2017 deadline. It is not too late to start.