“Trust” is a dirty word in the world of cybersecurity. Need proof? Just do a quick Google search for “Zero Trust” and see how many millions of hits you get. In today’s world, trust itself is not in the vocabulary of most security professionals. Use continuous verification tools to verify and authenticate everyone and everything to prevent unauthorized persons from accessing valuable information or moving freely within your network, It is necessary to poke and stab. You could use the phrase “trust but verify”, but it might be more accurate to say “verify but don’t trust”.
This isn’t bad, but it doesn’t tell the whole story. We don’t want to extend trust to old identities that exist on the network, but the truth is that trust forms the basis of every relationship. No, it won’t be granted automatically, but it’s guaranteed to be earned. Enterprises today have dozens, if not hundreds or thousands, of relationships with technology partners, cloud providers, vendors, distributors, customers, and other entities. How do those people and organizations earn their trust? There are no easy answers, but compliance standards play an important role. There can be no trust without transparency. Modern compliance helps make an organization’s security practices significantly more opaque.
Why building trust is becoming more important
Less than two years ago, the SolarWinds breach rocked the cybersecurity world to its core. This isn’t the first third-party breach, nor will it be the last, but he’s one of the most serious. This is all that cybersecurity experts have warned organizations about over the years. An attacker was able to break into his software provider, inject malicious code into their product, and market it to a huge number of customers. Experts estimate that he may have cost each affected company as much as $12 million, but SolarWinds’ costs include not just financial losses, but reputational damage and other costs. significantly higher in an unquantifiable way.
While this description is a simplification, it should remind you of the fact that today’s businesses not only have to worry about their own network security, they also have to worry about the security of the individuals or organizational partners who have access to the network. will be This has made security surveys increasingly popular as organizations explore potential partnerships and vendor relationships. Still, it’s not always easy to gather all the necessary information with a simple survey. Today’s security systems are complex and can vary greatly from industry to industry and even company to company, and not all organizations have the in-house knowledge to analyze the value and effectiveness of specific security tools and policies. is not. So how can organizations ensure that their partners are taking the necessary cybersecurity measures to keep their networks safe?
The role of compliance
Compliance is not a complete solution to the problem, but it plays an important role. Adhering to compliance standards and being audited is no fun for most corporate leaders, but it serves an incredibly worthwhile purpose. These standards provide a common framework within which organizations can judge each other’s security posture in very specific ways. In fact, many standards have no regulatory significance. They are widely accepted as reasonable security baselines or simply within a particular industry. This allows people within the industry to hold each other accountable to specific standards agreed upon and to penalize those who ignore security. It measures how well you protect the data you protect. This is becoming increasingly important as organizations collect more data and work with more Software as a Service (SaaS) providers.
What these frameworks offer is transparency. Organizations do not self-report whether they meet standards such as SOC 2, ISO 27001, and HIPAA. Organizational competence is determined by independent third-party auditors. Moreover, standards like SOC 2 do more than just provide a point-in-time snapshot of security capabilities. They provide a six-month or one-year window on the policies and tools an organization has in place and how effective they are, and measure their effectiveness over time. There is no such thing as “SOC 2 certified”. This is not a box that companies can check once and forget. It is a certification, a standard that must be continually evaluated and re-evaluated annually to generate a report verifying that the trust service criteria or requirements have been met. This report clearly and simply demonstrates that appropriate precautions have been taken and are working effectively.
This goes a long way in building the necessary degree of trust between organizations. In fact, some organizations have gone a step further and are using modern tools to gain real-time visibility into their security posture. This streamlines the compliance process and provides transparency far beyond expectations. One step an organization can take to articulate its security efforts is also to participate in her team’s exercises to identify threats across the industry. Collaboration is becoming more common, especially as organizations share threat intelligence with each other to help identify threats faster and remediate them more effectively. Membership in these initiatives is another way to build trust.
Trust is not freely given.
Zero Trust is popular for a reason. No, you should not adopt an attitude of trust in your network and data access policies. However, it is important to recognize that individual and organizational interactions depend on establishing a degree of trust. You can’t (or at least shouldn’t) give that trust freely, but there are ways to earn it.
Compliance is not about penalties or other punitive measures. In fact, many modern standards have no “punishment” for non-compliance beyond reputational loss, potential business loss, and loss of trust. In today’s threat landscape, understanding whether your partners, vendors or customers may be exposed to potentially costly cyberattacks is critical. Adopting a proactive approach to compliance that continuously monitors and evaluates security capabilities is one of the most important ways to establish proof of security and start building the trust that underpins successful relationships. One.