The first step obviously is to understand what external and internal compliance requirements apply to your organization. Not an easy task but once it is understood the relevant regulations, policies, guidelines, etc. can be layered on top of each other and control requirements can be mapped to see where you can realize consolidation benefits. Services like the Unified Compliance Framework should help with this.
For the sake of this little write up I’m picking some random control requirements as an example.
Once the control requirements have been identified they can be addressed. You can approach this by looking at the requirements and start to work on them one by one until all the boxes on the audit sheet are ticked; you’ll likely pass your audit but the cost/benefit ratio from an overall security posture point of view might be less than desirable – a bit like fire fighting with a watering can. In the end you might find yourself without any budget for other security projects left as you’ve used it up to fulfil your compliance requirements. Not an ideal situation and I would assume rather annoying if you find yourself in this position. It might seem like security controls are randomly sprinkled on your infrastructure without much value add.
But you could also try to see compliance requirements as a chance to increase the security posture of your organization for real. This might not always be possible, it will be harder to accomplish, it requires some creativity and time but it will probably pay off and make your job more satisfying. So, step back, look at what you can work with and connect the dots. If you find the correct links, group the right controls and align your assets cleverly you might be on your way to win the game 🙂
What I’m trying to say is that compliance requirements have the same goal as your security strategy – to keep your organization ahead in the game without risking any foul play, offside or penalties. The players nominated may not be your first choice and maybe you don’t like the condition of the playing field but you are the coach and can bring this home with the right game plan. Just like a real coach you would probably not put together a team of players who can do only one thing really well, but rather look for players who have their core talent but cover other areas in the game too. To snap out of the soccer analogy – if you look for solutions to cover your compliance requirements which are providing additional value that is beneficial to your overall security strategy your budget might go further and your CFO might like you better. (no promises)