Marissa Mayer, former President and CEO of Yahoo! once said: "With data collection, 'the sooner the better' is always the best answer."
Data is king, as we all know. Our daily job is to collect the data, analyze it, and decide if a control is well-implemented and enforced. But who can even consider “doing it sooner” if you are the Compliance manager of a multimillion dollar company, with dozens of systems to collect evidence from?!
If you missed my other post, let me quickly recap. Data is important, yet the process of getting it can be illusive. Old data can barely be trusted and overcoming partial data means more legwork—so all in all, collecting good, reliable data is quite the headache.
There are 3 data challenges that modern security, marketing, and BI solutions face:
InfoSec Compliance data is no different.
If we can overcome these three challenges, we will be able to enjoy and leverage real data for Compliance.
With access to real, comprehensive, up-to-date and normalized data, your professional work starts. Analyzing the data can help you at first determine the level of compliance. Moreover, since Compliance is yet another business risk, you can now focus on mitigating both security-oriented and pure Compliance risks that can impact your business.
So what’s the bottom line? Good, reliable data is your holy-grail; it’s much more than just replacing old-screenshot technology with a new approach.
We can all agree that getting good data and analyzing it the right way is crucial.
Introducing new technology is usually hard—but introducing the vision of real data in this world is far more complex. We have to convince auditors (and prove to the industry standards and traditional processes!) that Compliance based on real data can make their lives better too.
So why am I so sure that as a professional community, we can take this data vision to the next level and demonstrate its effectiveness?
I recently conducted some research and found that real data can satisfy more than expected. After deeply inspecting PCI-DSS, an accredited list of SOC 2 controls, and even ISO 27001, together with real data from products most companies use (such as AWS, Google Workspace, Okta, Snowflake, PagerDuty, etc.), I saw that it’s possible. It is entirely possible to follow this vision of data-based Compliance, without breaking the baselines of our InfoSec Compliance ecosystem.
While lists of users from different platforms may look alike, configurations are different. The new challenge we face is ultimately data normalization. Having reliable Compliance data collected and then normalized is the only way to process the relevant data and then analyze it as a whole.
I think that we, as leaders, can guide the industry out of the dark ages of compliance and welcome in a new dawn with:
Innovation can lead to some amazing results and change both how InfoSec Compliance is done and why it’s done.
With an audit process that’s not a burden, but rather a simple “checkpoint”, organizations won’t be afraid of it.
With a simple way of understanding the gaps to achieving the next certificate, we can be the ones offering our organization the opportunity to adopt additional frameworks, without fear—while driving more business.
With accurate data that’s always up-to-date, we can start relying on InfoSec frameworks to empower our security team.