How to Prepare for the Infinitely Increasing Requirements of Compliance Standards

If it seems like cybersecurity standards are more complex than they used to be, you aren’t imagining things. PCI DSS 4.0 was just released this year, with several new requirements that must be fulfilled. Shortly before that, the DoD introduced the CMMC standard to replace NIST 800-171 with new requirements.

Not only are today’s cybersecurity standards more complex than before, you can expect them to keep growing in complexity — indefinitely. The cybersecurity world is an arena that’s ever increasing in terms of complexity as the space evolves to address new threats on the cybersecurity landscape.

What Drives the Growing Number of Compliance Requirements?

Technology changes over time — and with it, attack patterns change as well. There’s a predictable pattern that repeats itself, and each iteration means more controls are needed to protect your organization.

1. New technology is released, with new holes and vulnerabilities.
2. The bad guys discover those vulnerabilities and exploit them in new ways.
3. Once a vulnerability becomes known, patches are released and the holes are plugged.
4. In response, attackers discover new ways to exploit the system, especially as new technologies are released with new vulnerabilities.

And the cycle continues.

Along the way, attackers become more sophisticated in their methods — they don’t merely exploit new vulnerabilities, they also find new ways to deceive their targets. Phishing attacks become more believable and more difficult to spot.

One Very Convincing Phishing Attack

I’ve been in the cybersecurity industry for about two decades, and I’ve learned to spot a phishing attempt a mile away. But the other day I witnessed the most sophisticated email attack I’ve seen to date.

The email came to me from a law firm that I know well. First, I received an invitation with a link to a Dropbox folder. About 40 minutes later, I received a follow-up email stating that they had sent an important file they needed me to review, sign, and return. It was too sensitive to deliver through email, so they had sent me a Dropbox link.

The typical telltale signs of a phishing email were missing:

• The email came from a source I know and trust.
• The originating email address was a legitimate email from the firm — not a masked one, but the lawyer’s actual email address.
• The content of the email was professional and extremely well written, without any spelling or grammatical errors.
• There were no links within the email that pointed to unknown domains.
• The follow-up email was exactly the type of message I would expect from a law firm that was doing its due diligence to protect sensitive information.

The only thing that gave me pause — and it was such a little detail that it would be easy to overlook it — was the fact that I didn’t have any reason to expect an email from the firm.

The other little detail I noticed was that it was sent from the law firm, to the law firm — indicating that the email was sent to a large list of recipients who were all bcc’d. And that seemed suspicious, considering the intent of the email was purportedly a message specifically for me.

I went to the law office’s official website and called the listed main number to see if it was a legitimate email, and only got as far as “I just received an email —” when the receptionist cut me off. “Do NOT click on that link,” she said. Many of their clients had already been duped.

The Future of Compliance Management Is Complex

As attackers become more sophisticated, compliance standards add more requirements (and more complexity) to provide better protection. And that means more work and a greater burden to organizations trying to maintain compliance.

The world of cybersecurity is continually becoming more complex, and it isn’t going to stop.

Not only that, but as your business grows into new areas, you’ll have new customers with new security requirements for their vendors. It won’t be enough to be certified under PCI DSS, you now also need to be SOC-2 certified, or HIPAA compliant. So you have more standards to meet, as well as increasing complexity within each of these standards.

The capacity for compliance standards to add more requirements is infinite. The capacity for human beings to keep up with the additional burdens is most definitely finite. So what does that mean for you?

How Burdensome Will Compliance Management Get?

As compliance standards require more of you, there’s only one logical conclusion: you slowly lose your mind. Today you might have other responsibilities on top of compliance, but eventually you’ll have to get those responsibilities off your plate to focus entirely on security and compliance.

Then, you’ll reach the end of your rope and you can’t handle compliance full-time anymore. You need assistance, so you bring on a compliance assistant. After a few years, as compliance standards continue to evolve, your compliance assistant is neck-deep in their work as well. And the cycle continues.

This isn’t theory — I see it happening in organizations all the time. Phoenix Financial’s (at the time) CIO, Jamie Hefty, went through it firsthand. “At one time, PCI was just a check box and you didn’t have to worry about the details,” he said. “We discovered that over the last few years PCI had ballooned into a full-time job. It was unbelievable how much work it was going to be.”

When Phoenix Financial hired TCT to help them get their compliance ducks in a row, Jamie was working 16-hour days to stay on top of it all.

If compliance management is only going to become more massive, there must be a solution to preserve your sanity. If so, what are your options?

How to Handle Increasing Compliance Complexity

It’s unbelievably challenging to keep all this increasing complexity together, especially if you’re managing compliance manually. That said, you have some options.

Option 1: Hire more people

As your burden increases, bring on more skilled staff to help share the load. This is a common option, and it allows you to dynamically scale along with your needs. But it’s also expensive, and at some point the compliance department spend is perceived to outgrow its value to the company.

Option 2: Engage a third-party Consultant

An outside compliance Consultant can provide expert assistance with managing your compliance program. For many organizations, once they hit that critical mass where they just can’t take it anymore, it makes a lot of sense to bring in a third-party Consultant who has done nothing but compliance management for years.

These professionals have a depth of expertise and bring a breadth of invaluable experience to draw upon. Your compliance management Consultant can also recommend the most effective technology to streamline your compliance program. Even the best professionals can’t do everything manually, and they’ll know how to leverage the right technology to do more, with less time and effort.

Option 3: Increase automation of your compliance management program

Whether you choose option 1 or option 2, automating compliance management is a critical add-on that frees up hundreds — and often thousands — of hours of onerous effort. And that translates to tens (or hundreds) of thousands of dollars you don’t have to spend on new hires.

TCT Portal compliance management system can reduce your manual labor by as much as 65 percent. And the payoffs increase each year you use the system. Discover how much your organization will save with TCT Portal.

Don’t Wait to Plan for Future Compliance Burdens

However you respond to the burdens of compliance management, it’s important to start thinking ahead. How will you prepare for the complexities and additional requirements that are coming your way? What options make the best business sense for your organization, and what do you need to put in place now so you can readily adapt in the future?

Compliance management already sucks. TCT makes it suck less.