Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Compliance Management, Cyber Risk Management

Cybersecurity And The SCF | SureCoud

Cybersecurity And The SCF | SureCoud
Written by

Tom Cornelius

Published on

18 Nov 2022

Is a Vendor’s Promise to Deliver Compliance to your Organization in Weeks Plausible?

 

Guest author: Tom Cornelius, Senior Partner at ComplianceForge and SCF Founder  

 

When we first started the Secure Controls Framework (SCF) back in 2018, we had the ambitious goal to provide free cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of their size, industry or country of origin. We started off mapping to a few dozen different laws and regulatory frameworks, but fast forward to today, and that number has grown to over 100.  

 

A lot has changed in our industry in the four years since we launched SCF, but one thing that hasn’t is our core mission to provide a powerful tool that helps to advance cybersecurity and privacy controls. With a small army of volunteer specialists working on an open-source platform, we know that delivering compliance cannot be achieved overnight. 

 

That’s why it’s so jarring when we see a growing number of service providers making extraordinary promises to deliver compliance management solutions in weeks or even just a matter of days. 

 

So, are these claims credible, and can providers really deliver reasonable compliance in a matter of weeks? The short answer is: no.

 

There is no silver bullet. 

Everyone wants the silver bullet. Maybe it’s weight loss pills that promise that you’ll end up looking like a movie star without having to put the hard work in at the gym, or even a get-rich-quick scheme that promises untold millions with little or no risk. 

 

It’s human nature to want to take a shortcut to your end goal. The problem is that if something sounds too good to be true, then the chances are that it inevitably is. 

 

When it comes to compliance, there are no shortcuts, no silver bullets and no quick fixes. While achieving compliance in a short timeframe is theoretically possible, most organizations require a significant time period to implement complex and extensive changes. The exceptions to this rule are generally smaller organizations that are cloud-native with no legacy technology or a start-up environment that lacks existing processes and technologies.

 

When a vendor promises that it can deliver compliance in a short timeframe, it should be viewed at best as deceptive advertising or, at worst, as fraudulent business practices due to the vendor’s incompetence or apathy.

 

Neither option should fill you with confidence since compliance is a task that cannot be 100% outsourced. That means the vendor either doesn’t understand enough to realize what it’s promising is improbable, or it does not care and is willing to say anything to gain an increase in sales without considering the impact it has on its clients. 

 

Compliance takes time 

There’s no way around it; compliance takes time since a standard is a standard for a reason. That’s true of all organizations, but especially those who are looking at highly-complex issues like CMMCPCI DSS, SOC, ISO 27001/2 and even GDPR

 

In fact, if you look at any organization from a reasonable perspective, it’s clear that achieving compliance is something that’s going to take months, if not years, to achieve. Most successful compliance endeavors take a risk-based approach to prioritizing efforts that reduce risk and hopefully prevent reengineering compliance management solutions during the development journey.

 

Put simply, compliance doesn’t happen overnight. There’s an interconnected web of cybersecurity and data privacy requirements that modern businesses have to adhere to. This is further compounded as more and more aspects of our lives are digitized and automated.

 

Today’s landscape is overwhelmingly complex.

 

The makeup of modern organizations also adds an additional layer of complexity. With multiple sectors, processes, supply chains and systems to manage, mapping controls across all lines of business takes time – and that’s before you even consider additional aspects such as the sensitivity of your data, your level of inertia and how committed senior management is to the initiative. 

 

A top-down approach    

The process of compliance is complex and requires extensive planning and adequate time to execute the transformations needed within an organization. A top-down approach that holistically embeds compliance in every aspect of your operation is a big shift – one that will need to be planned and implemented strategically in order to succeed. 

 

In my work at ComplianceForge and SCF, I tell people that we are “tool builders”. We make compliance management solutions that can enable organizations to move faster towards their end goals. However, I’m also quick to point out that no matter how sophisticated a tool may be, tools are no substitute for the legwork that ultimately needs to be done to make your organization compliant, and that’s before we talk about security. 

 

At the end of the day, there are no shortcuts in compliance – so, ‘buyer beware’ when anyone tells you otherwise.

 

We’re offering our clients the tools they need to help move faster towards their end goals… but no matter how sophisticated they may be, these tools are no substitute for the legwork that ultimately needs to be done to make your organization compliant and secure.

 

 

To hear more from Tom Cornelius and his take on compliance management solutions, check out this episode of our Capability-Centric GRC & Cyber Security podcast. It features a wide-ranging discussion about the most significant cybersecurity and compliance issues we face today.

 

 

To speak to one of our cybersecurity and compliance experts, get in touch using the form at the bottom of the page.