The stakes of compliance are high: a single non-compliance event costs on average $4M in revenue. Technical compliance is a key piece of any organization’s compliance strategy; however, meeting technical controls is time-intensive and expensive, and many organizations don’t do enough. Read more to learn what technical compliance is, how your organization can achieve it, and how Sicura uses automation to enforce technical compliance and give engineers their jobs back.
What is technical compliance?
Compliance includes the policies, procedures, paperwork, and controls that a governing body agrees will make an organization safer. It’s a broad set of rules and regulations, and organizations often know they need a compliance program but don’t know where to start.
Technical compliance refers specifically to the controls within computers and systems that prevent breaches and limit the risk of exposure if a breach does occur.
All compliance, including technical compliance, starts with a policy written by people. Different industries have selected or are required to have specific policies:
- The Center for Internet Security (CIS), a non-profit serving the global IT community, publishes the CIS Benchmarks™. CIS is trusted by the retail, financial services, and government sectors as the standard-setter for technical compliance. An example of a CIS Benchmark is that all passwords must be at least 14 characters long.
- The Payment Card Industry Security Standards Council, composed of major credit card providers including Visa, Mastercard, and Discover, publishes the Payment Card Industry Data Security Standards (PCI-DSS). These requirements govern all merchants who collect and process credit card data and seek to ensure that each step in the retail chain is secure and protects customer data. One PCI rule is that specific firewalls must be used to protect customer data.
- When passed by the US Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) led to the creation of standards to protect sensitive health data and prevent disclosure without the patient's consent. Today, all health care organizations must manage patient data in compliance with HIPAA policies. If you go to the doctor, they must obtain your signature before disclosing any information on your health to an outside source.
- The National Institute of Standards and Technology publishes sets of controls such as NIST 800-53, a catalog of security controls for government systems. These controls are used by state and federal agencies to ensure government systems are not breached.
Internal and external auditors frequently assess systems for compliance with these policies, and the consequences of failing to meet them can include major fines and legal issues.
How is compliance different from security?
It’s important to understand that while related, security and compliance are not the same thing. Security and compliance strategies share the goal of preventing breaches and limiting the impact if breaches do occur. However, the major difference is that you can prove compliance and you cannot prove security.
Because compliance is based on specific policies, you can easily demonstrate adherence to those policies. Scanners, including the CIS-Cat Pro Assessor which is natively integrated into the Sicura platform, can assess the state of a system and measure its adherence to each specific control.
In contrast, you cannot “prove” security because security is the end goal, not an achievable state. Your system might be secure at a moment in time, but hackers are always finding new ways to enter systems.
If security is about hitting 100%, compliance is about taking care of the first 85% — taking care of the low hanging fruit and developing a baseline. By implementing a technical compliance strategy, you can demonstrate you’re taking reasonable steps to make your system secure and preventing the easiest or most obvious breaches.
How do organizations achieve technical compliance?
It’s clear to most organizations that technical compliance is an urgent priority, but the path to achievement isn’t always clear. A technical compliance program will require the buy-in from a number of stakeholders throughout the organization.
At most organizations, technical compliance is required by the Security team but is achieved by IT, DevOps, or Engineering — those are the folks with hands on keyboards who are responsible for ensuring the systems hold up and that data is managed securely.
Security and compliance teams choose a compliance policy or standard and send it over to their engineering teams to “make it happen”, but they often fail to understand just how time consuming it is. Even if a new system is compliant when it’s set up, the day-to-day activities and human error can quickly lead to drift, meaning that a previously-secure system is no longer locked down.
Engineers spend hundreds of hours per year trying to keep their systems in compliance — time that could be spent on higher-level projects that take advantage of their expertise and achieve business goals.
In contrast to the manual process described above, Sicura allows engineers to automate security and compliance in their DevOps workflows. Systems start compliant and stay compliant with the help of our automated framework that translates compliance policies to code, enforces them on the system, and automatically remediates issues. We save our customers an average of four hours of labor per server per year, leading to millions of dollars in annual savings and allowing teams to redeploy their engineers to key business goals.
If you’d like to work with Sicura to automate technical compliance and bridge the gap between your security and engineering teams, get in touch.