In this day and age, there is a tool for everything. Taxes, budgeting, dieting, all of these have tools. Some tools are so ubiquitous in our lives, that we cannot imagine life without it.
Cybersecurity is no exception – there are tools for every need: from firewalls to antivirus and reporting to automation. When it comes to cybersecurity, proper usage of these tools is what separates a mature environment with real protection from cyber threats from a slapdash environment that has tools tossed together in the hopes that they will protect an organization. This difference in an organization’s cybersecurity maturity comes from something that tooling currently cannot offer it is the proper knowledge, understanding, and planning that allows organizations to design and develop an environment that mitigates risks effectively.
To ensure that organizations adhere to a certain level of security and maturity, the world has come up with various standards and frameworks that organizations can use as a guide for building their organization’s cybersecurity strategy. Frameworks such as NIST provide guidelines that organizations can use when building their cybersecurity strategy but do not provide certification options like standards such as ISO 27001 or SOC2 do. This certification option is essentially a verification for anyone else that an organization meets a standard level of cybersecurity which is quite important in today’s world. Having these certifications may be requirements at a government level, such as HIPAA, or they may be required to perform business with another organization at a contractual level.
Regardless of where the requirement is coming from, compliance with robust and well-designed standards is fast becoming the norm in today’s business industry. This shift has led to many organizations struggling to implement cybersecurity programs that adhere to the wide range of requirements these in-depth standards dictate. These new requirements in turn have led to the development and popularization of tools meant to help organizations achieve these compliance requirements. However, this has led many organizations to falsely believe they only need to use a tool to pass an audit. This is through no fault of the tool providers but rather it comes from a lack of thorough understanding or misunderstanding by the organization of what exactly is required for compliance with these standards.
Mature standards will often consist of at least two requirements: the first is documentation in the form of written policies, the second is implementation and the monitoring of controls. The written policies govern what an organization’s strategy will be, how they will identify risk, and how they plan to manage the risk. Implementation of controls on the other hand is closer to what people traditionally associate with cybersecurity: i.e. using firewalls to block network traffic or installing antivirus to prevent against malware. Tools are needed to implement many controls, including firewalls and antivirus, and many tools exist for helping an organization to implement a cybersecurity strategy that adheres to the standard the organization is attempting to meet. The keyword here is “help” – as they can play an important role and can be of great help to you and your organization. However, they ultimately cannot replace a solid cybersecurity strategy or knowledge to design and implement adequate controls. Controls, that not only fulfill the requirements but do not unnecessarily complicate processes for your employees.
To properly implement a cybersecurity program that will pass an audit and achieve certification, organizations need to have an in-depth understanding of how each requirement in a standard fits together to create a mature cybersecurity program. This task requires a human being with knowledge of the standard and the ability to both, create the policies necessary, and select the right controls for the organization. Once an organization has identified the person(s) who have this knowledge and can implement the standard for them, then the person(s) selected to do this work can identify tools that may make achieving the compliance easier.
These tools may include preassessment tools meant to identify and display the difference between where an organization currently stands and where they wish to be (Gap Analysis). Other preassessment tools allow for tracking of the status of the implementation, collecting documents as evidence, and the generation of reports to be used to demonstrate compliance in the audit itself. Regardless of which tool, they require people with the knowledge of the standard to input meaningful and adequate data so that these tools can be accurate.
Similarly, the use of templates for policies might help overcome initial writer’s block, hence facilitate the process of writing policies for an organization. Without a proper understanding of the requirements of the standards, however, these templates may end up lacking the necessary components that allow an organization to meet the standard and achieve certification.
Bottom Line:
Tools available for cybersecurity can play a useful role in a well-structured cybersecurity strategy. However, it is important to keep in mind that these tools are never a quick fix nor guarantee for security or compliance alone. In fact, using a variety of tools from multiply vendors might cause more and not fewer headaches. It is the knowledge of how standards work that allows us to pick the right tool for the job as well as understand the limitations of any tools selected.
When it comes to cybersecurity compliance with any of the standards specifically, self-assessment tools and software that keep track of the implementation status of a standard like ISO 27001 or NIST can be very useful, facilitate communication within the organization and with consultants like Ecuron. These tools can reveal gaps, track implementation and save time – but they can never replace the know-how to plan a solid cybersecurity strategy as a foundation or fulfill essential compliance requirements such as selecting efficient controls to put in place.