Small to medium-sized businesses are faced with the same cybersecurity challenges and compliance requirements as large companies but generally don’t have the budget or internal resources to address these requirements.

One of the questions we always receive from small and medium-sized companies is: What is the best strategy for remaining compliant with multiple IT regulations (PCI-DSS, SOC 2, ISO 27001, GDPR, HIPAA, CMMC, etc.)?

There actually is a simple answer to this difficult question. RITC Cybersecurity’s mantra is that if you are secure, you will be compliant, but if you focus solely on compliance, you won’t be secure.

Not only do we have a plan to make you secure, but also a way to keep your company secure year-round, not just at audit time.

Start with a Cybersecurity Framework

Before you can be compliant, however, you need to assess your environment against a cybersecurity framework.

For small to medium-sized businesses, we recommend NIST CSF for those with compliance requirements like SOC 2, PCI, or HIPAA.

All these frameworks require you to document your processes, which is necessary for compliance.

Starting with NIST CSF will establish the proper basis and documentation for being compliant with SOC 2, HIPAA, or PCI.

Generally, we have found that by being compliant with NIST CSF, you will be somewhere between 80–85% compliant.

This leaves the last roughly 15% that is compliance framework-specific to complete.

If your only responsibility is securing your environment and establishing secure processes for cybersecurity insurance or customer questionnaires, CIS is an excellent option.

Operationalizing Evidence Gathering

When it comes to gathering evidence, RITC Cybersecurity has found that operationalizing the evidence-gathering process is the best way to ensure you are compliant year-round.

Evidence gathering as part of your KTLO staff’s monthly or quarterly job functions enables you to operationalize tasks across your entire team, verifying security configurations with screenshots, documentation and process reviews, collecting vulnerability reports, and other risk-specific processes throughout the year.

No special tools are needed for tracking this evidence collection; we recommend simply creating help desk tickets or managing a team calendar to ensure the tasks are completed.

For an evidence repository, you can use a secure SharePoint site or a secured network drive. However, it is critical that this evidence is secured, with access available only on a need-to-know basis.

This data should be classified as highly confidential.

How Much Time Does Compliance Require?

Now, you may be asking: My team is lean, or I am the team. How much time and how many resources will I need to maintain compliance year-round?

The answer depends on your team size and the size of your environment.

Let’s use policy review as an example. The best way we have found to deal with policy review is not to look at all 20–25 policies once a year, but to break them down quarterly.

If you have 20 policies, that is five policies each quarter.

If nothing changes, the work is mostly updating the review date on the documents and confirming they have been reviewed.

It becomes more involved if your policies are continually changing.

In our experience, the extra workload is generally 5–10 hours per quarter per team member, depending on the scope and size of your environment.

The key to making this manageable is the first 12–18 months when you are working on getting the company compliant with a security framework.

Benefits of This Methodology

So, what does this methodology really accomplish?

It gets your team used to gathering the required evidence for the annual audit, eliminates chaos and overload at audit time, and provides a continual snapshot of where you stand from a security and compliance perspective.

Using SOC 2 or PCI as an example, when this process is operationalized, you will save time when the QSA or auditor arrives, reduce auditor hours, engagement time, and cost.

Your internal teams will spend less time figuring out how to complete an annual one-time task, and they may already have some evidence ready, as both PCI and SOC 2 require vulnerability scans, remediation records, help desk tickets, penetration test reports, and similar documentation.

By operationalizing compliance, costs are typically reduced by 15%–25% in the years after the first audit.

Need Help?

Lastly, you may ask: I am a team of one or two—how am I really going to do this?

The answer is simple: Contact RITC Cybersecurity, and we will provide the resources and experience you need to support and streamline your compliance efforts for less than the cost of bringing in additional resources.