days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
How to Apply Continuous Compliance in the Modern Workplace
Our previous post underscored the close link between security and continuous compliance for modern financial sector organizations. But given that the processes related to continuous compliance need – almost by definition – to be ongoing, how do you apply them in a manner that’s not constantly getting in the way of other day to day business processes? Fortunately, there are answers with the help of the right MSP partner.
Continuous Compliance Must be Sustainable Over Time
Continuous compliance is an ongoing investment, so the priority is to make that investment sustainable over the course of time. The way to achieve this is to focus on making the effort both targeted and iterative. Otherwise, you could end up with an expensive “boil the ocean” approach that may be a mile wide and an inch deep when it comes to keeping up with threats, vulnerabilities and regulatory rules as they shift over time.
It’s far too costly and would bog down business processes to try and blanket the entire organization with endless security and compliance investments. That’s why focusing such investments is crucial. For instance, Company X may deal heavily with protected customer and financial data, whereas Company Y’s business model and reputation depend more on the availability of systems. These variations should inform the focus area of the organization’s security and compliance operation (i.e. ransomware or business email compromise for Company X; DNS and similar attacks for Company Y).
Continuous compliance must also be iterative in order to stay current with constantly changing threats, software vulnerabilities and business processes. The goal should be a virtuous cycle of ongoing testing, improvement and retesting – all of which must be informed by expertise on the rules, vulnerabilities, processes and underlying technology that most apply to what’s being tested.
Applying Continuous Compliance to Both Technology and Workforce-Related Risks
The targeted and iterative approach must strengthen compliance around both the technology and workforce-related security efforts underway in a modern financial organization. On the technology side, for instance, think of vulnerability scanning and patching. The continuous compliance cycle may involve scanning for gaps, developing patches and then rescanning for any remaining gaps.
Meanwhile, consider the workforce example of phishing awareness testing and training. Initial phishing tests may isolate certain processes or scenarios where users are most susceptible to clicking on bogus links. These results can inform root cause analyses, which in turn may drive a process improvement. Then there may be user training to highlight proper cyber-hygiene for such processes, followed by a subsequent testing round to see if user behaviors improve.
Both these examples illustrate the need for continuous curation of compliance and security-related activities and resources – and that’s something clients will invariably need the help of a seasoned MSP partner to do. Such a partner can help navigate issues like alert fatigue in the case of phishing awareness – it’s possible to be too continuous in such testing if you’re doing it daily and you remove the element of surprise. Or with patching, clients need a partner who knows how to optimize the patch design in the first place, and then apply automation to enable the patching to happen continuously at scale.
Ultimately, continuous compliance doesn’t need to be a continuous headache and perpetual choice between secure operation and seamless processes in a modern organization. It’s possible to achieve both with the help of the right MSP partner – one with both the workforce and technical expertise to strategically target and iteratively improve on the areas most critical to a modern organization’s regulatory and compliance needs.