“Evidence-Based Security” Requires Strategic Collaboration Beyond the IT Department

By Corey Hoyt | August 12, 2020

Business leaders that view security as an IT objective will leave their company vulnerable. And for some, that can translate to lost revenue in the years to come.

For defense contractors in the DoD supply chain, the Cybersecurity Maturity Model Certification (CMMC) implementation timeline is on the move. CMMC compliance for these organizations is essential and that means implementing security practices across all aspects of the organization. Businesses that gain the right level of certification early will benefit from near-term competitive advantage as compliance must precede contract bidding. Basically, if you don’t have the right level of CMMC compliance at the onset, you can’t even bid.

Leaders motivated to prioritize, meet, and maintain compliance must take a broad view and evidence-based approach to security to ensure they’re moving on the right path.

Hopefully, for organizations in the DoD supply chain, the urgency is established. Business leaders not under specific compliance can also benefit from these practices to improve their overall security posture. There are a few insights we’ve learned along the way to align security within your strategic business objectives:

Security compliance requires collaboration beyond IT and across business units.

To meet compliance, a broad view of the organization is necessary to identify and implement technical, administrative, and physical controls. But it’s easy to assume that security—and cybersecurity specifically—falls solely into the technical world and thus would live with the IT department. After all, the IT department has the tools and resources to control system roles and access permissions. And systems are where our data lives. This mindset overlooks the administrative and physical security that is critical to safeguarding data, which is why business leaders are a critical component in driving a successful Information Security strategy.

Viewing security from a technical perspective might form the walls of a house, but we’re still missing the doors and roof. Which, to follow the metaphor further, leaves the house open and vulnerable to hackers walking right in. Positioning security as a shared objective and strategic priority of leadership fosters shared responsibility to evaluate, document, and audit what information is accessible across the organization. Security reaches beyond IT and compliance requires broad-spectrum, business-driven change.

“Proving it” takes place in every department.

With CMMC preparation, we find the greatest challenge for organizations is the new concept of “proving it”. There is no longer an option to “self-attest” to compliance as there was with NIST 800-171. If you say, “We only provide access to employees with a business reason to need it”—you’ll need to support that statement with documented evidence for CMMC compliance. This is sometimes referred to as “evidence-based security”.

 Each department must establish who has access to data, how they access that data, and why. If the right protocol isn’t in place, like multi-factor authentication, taking steps to improve security may need to be adopted. Follow through on security practices will require follow up. Similarly, access to and within facilities must also be examined and proven to meet certain practices within CMMC compliance. Again, your information security objectives overall should reach far beyond your IT department alone. Outside of the technical controls, we must also consider the physical and administrative controls.

This can seem daunting, there’s no doubt about it. Identifying where data and information can be accessed and if that is appropriate or not takes a significant investment of time and resources. Your business has likely grown over time and your current practices are in place as a result of that growth. There’s no better time to begin the task of reevaluation than today and, luckily, there’s a place you can start.

Begin with a Gap Analysis or Risk Assessment, but don’t stop there.

A Gap Analysis will evaluate security practices against what you have in place today. At Mainstay Technologies, that analysis results in three documents used as tools for discussion and tracking: a comprehensive compliance report detailing findings, an initial draft of your Plan of Action and Milestones (POA&M) for risk management, and an executive summary synthesizing our recommended strategy and path moving forward. The goal is to walk away with a level of education and understanding of where you need to focus your attention to align with your day-to-day operation and compliance requirement. For Mainstay, our process includes mapping your existing practices by consulting leadership, human resources, sales, operations, and other business units.

If opting for a Risk Assessment, it’s an opportunity to assess and identify areas of compliance, non-compliance, or partial compliance with a set of required controls. The assessment helps to uncover areas of risk for a breach, data, leaks, and other issues. As part of the process, Mainstay will test, identify, and rate that risk. This allows for in-depth technical and organizational recommendations, closing gaps, improving compliance, and mitigating critical vulnerabilities. But you likely won’t stop there. Resulting from these activities, you’ll have a clear understanding of what needs to happen next. More than just IT, a comprehensive IT and Cybersecurity services partner like Mainstay can assist in closing gaps and improving how you manage risk.

Designated by the CMMC-AB, there are benefits to partnering with Registered Practitioners.

Registered Provider Organizations (RPO) have been designated by the accreditation board to provide CMMC consulting services. Like many organizations, Mainstay Technologies is in the process of becoming one of the first companies to hold this designation along with our team of Registered Practitioners (RP). Our soon-to-be RP team members have extensive experience with information security program and compliance management. A CMMC consulting partner like Mainstay is intimately familiar with the basic constructs of the CMMC Standard and holds vast experience with preparing clients for an audit. Following a Gap Analysis or Risk Assessment, we often partner for long-term, comprehensive IT and Cybersecurity services to support ongoing compliance.