Small to medium-sized businesses are faced with the same Cybersecurity challenges and compliance
requirements as large companies but generally don’t have the budget or internal resources to address
these requirements. One of the questions we always receive from small and medium-sized companies
is: What is the best strategy for remaining compliant with multiple IT regulations (PCI-DSS, SOC2,
ISO27001, GDPR, HIPAA, CMMC, etc.)?
There actually is a simple answer to this difficult question. RITC Cybersecurity’s mantra is that if you are
secure, you will be compliant, but if you focus solely on compliance, you won’t be secure. Not only do
we have a plan to make you secure, but also a way to keep your company secure year-round, not just at
audit time.
Before you can be compliant, however, you need to assess your environment against a cybersecurity
framework. For small to medium-sized businesses, we recommend NIST CSF for those with compliance
requirements like SOC2, PCI, or HIPAA. All these frameworks require you to document your processes,
which is necessary for compliance. Starting with NIST CSF will establish the proper basis and
documentation for being compliant with SOC2, HIPAA, or PCI. Generally, we have found that by being
compliant with NIST CSF, you will be somewhere between 80-85% compliant. This leaves the last roughly
15% that is compliance framework-specific to complete. If your only responsibility is securing your
environment and establishing secure processes for cybersecurity insurance or customer questionnaires,
CIS is an excellent option.
When it comes to gathering evidence, RITC Cybersecurity has found that operationalizing the evidence-
gathering process is the best way to ensure you are compliant year-round. Evidence gathering as part of
your KTLO staff’s monthly, or quarterly job functions enables you to operationalize tasks across your
entire team, verifying security configurations with screenshots, documentation and process reviews,
collecting vulnerability reports, and other risk-specific processes throughout the year. No special tools
are needed for tracking this evidence collection; we recommend simply creating help desk tickets or
managing a team calendar to ensure the tasks are completed. For an evidence repository, you can use a
secure SharePoint or a secured network drive. However, it is critical that this evidence is secured, with
access available only on a need-to-know basis. This data should be classified as highly confidential.
Now, I am sure you are thinking to yourself: My team is lean, or I am the team. How much time and how
many resources will I need to maintain compliance year-round? The answer to this question really
depends on your team size and the size of your environment. Let’s use policy review as an example. The
best way we have found to deal with policy review is not to look at all 20-25 policies once a year, but to
break them down quarterly. So, if you have 20 policies, that’s 5 policies once a quarter, and if nothing
changes, how hard is that really? At that point, you are mostly just updating the review date on the
documents and checking off that they have been reviewed. It gets a little more difficult if your policies
are continually changing. Back to the time commitment, though — in our experience, the extra
workload is generally 5-10 hours a quarter per team member, based on the factors of scope and team
size. The key to making this manageable is the first 12-18 months when you are working on getting the
company compliant with a security framework.
So, what does this really get us? The methodology has multiple benefits: It gets your team used to
gathering the required evidence for the annual audit, eliminates chaos and overload at audit time, and
provides you with a continual snapshot of where you stand from a security and compliance perspective.
Using SOC2 or PCI as an example, when this process is operationalized, you will save time when the QSA
or auditor arrives, reduce auditors' hours, engagement time, and cost. Your internal teams will spend
less time figuring out how to do an annual one-time task, and they may already have some evidence
ready, as both PCI and SOC2 require things like vulnerability scans, remediation, help desk tickets,
penetration test reports, etc., as part of the audit. By operationalizing compliance, costs are typically
reduced by 15%-25% in the years after the first audit.
Lastly, you may ask: I am a team of one or two — how am I really going to do this? Well, the answer is
simple: Contact RITC Cybersecurity, and we will provide the resources and experience you need to
support and streamline your compliance efforts for less than the cost of bringing in additional resources.