If you are not familiar with cybersecurity compliance, you will be soon. More and more companies are forced into compliance as privacy issues and theft affect their businesses. IT compliance is defined as the actions or facts of complying to a regulation. Regulations are high-level guidelines created for specific industries to address specific problems.
Here are a few real-world examples of regulations that impact IT pros:
- The global finance industry uses credit card numbers, and those numbers must be encrypted to avoid theft, so the Payment Card Industry Data Security Standard (PCI DSS) was created.
- The health care industry uses patient health information (PHI) that must be securely transmitted to doctor’s offices and insurance providers, so the United States created the Health Insurance Portability and Accountability Act (HIPAA).
- Federal governments work on national security, so the United States created the Federal Information Security Management Act (FISMA) to ensure all agencies secure their data.
More recent privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) ensure customer data is protected and stored locally to the consumer. That means if you are a U.S.-based company and you have customers in Europe, you must ensure the customer data is stored in Europe and bound by European laws, even though your company is in the United States. IT teams must work harder to ensure they comply with the growing number of regulations.
What Are Security Controls?
Cybersecurity professionals need to fully understand these regulations because each one includes a specific number of security controls. These are broad cybersecurity tasks that must be implemented, such as backing up information systems or encrypting data, both at rest and in motion.
PCI DSS has more than 50 security controls, HIPAA has more than 100 and FISMA has more than 1,000. The more cybersecurity controls, the more difficult the regulation will be to implement. NIST Special Publication 800-53 outlines common security controls used by industries across the globe. Security control examples include ensuring access control policies and procedures, access enforcement, separation of duties and least privilege permissions.
These controls are critical to ensure global economies function securely and businesses continue to provide services, to maintain our medical systems, and to protect our national security. There are few tasks more noble than implementing security controls.
Separation of Duties: Cybersecurity vs. IT Infrastructure
IT departments are breaking into two teams, or two departments, to accommodate the increase in regulations. Cybersecurity is breaking apart from the traditional IT infrastructure team due to separation of duty requirements in nearly all regulations.
As companies grow in size and become more regulated, they separate the cybersecurity from IT infrastructure to ensure the security controls are implemented, audited and reported to the regulatory agency. The cybersecurity team often works in a separate security operations center (SOC).
For example, if your company is regulated, you will probably be required to enforce a security control to back up all information systems. Although they are separate teams, the cybersecurity and IT infrastructure teams work together to get the company in compliance:
- The cybersecurity team determines what the company needs to do to comply with the regulation and assigns the work to the IT infrastructure team.
- Then, someone on the IT infrastructure team, like a systems administrator, completes the work.
- The cybersecurity team would ensure the task is done, provide proof that it’s complete, ensure the backup is secure and report completion of the security control to the regulatory agency.
Many security controls revolve around penetration testing and cybersecurity analytics. For example, another common security control is continuous monitoring of information systems. Continuous monitoring is usually completed by a security analyst on the cybersecurity team, who monitors the network using a security information and event management (SIEM) system such as Splunk or IBM QRadar. If the security analyst receives a SIEM security alert that indicates a compromised user laptop, the security analyst might create a help desk ticket for an infrastructure IT support technician to quarantine the infected system.
Skills Needed for Cybersecurity Jobs and How to Get Them
As you can see, cybersecurity jobs require both management and technical analysis skills.
CompTIA continues to expand the coverage of these skills in its cybersecurity certifications:
- The new version of CompTIA Security+ (SY0-601), scheduled for release in November 2020, includes privacy standards that impact cloud security, how to perform systems and security administrator tasks in hybrid and heavily regulated environments, and how policy is the main hurdle.
- The new version of CompTIA Cybersecurity Analyst (CySA+) (CS0-002), scheduled for release in April 2020, includes an entire domain on compliance. CySA+ helps companies remain compliant through continuous monitoring and reporting found in nearly all regulations.
- CompTIA PenTest+ covers penetration testing as well as vulnerability assessment and management skills to help companies obtain and remain PCI DSS compliant.
- CompTIA Advanced Security Practitioner (CASP+) covers compliance and its relationship to security and enterprise network architecture. The security architect determines how to integrate security controls within existing network architecture.
In summary, cybersecurity professionals are heading into a world of regulation compliance. If you are not already familiar, you need to prepare yourself, and the CompTIA Cybersecurity Career Pathway can help you do that. Cybersecurity jobs are projected to grow much faster than average, in part due to the increase of regulations being placed upon companies throughout the globe.
Read more in Compliance in Cybersecurity Part 2, where you’ll learn more about regulatory compliance and its effect on cybersecurity teams. Not only is the IT department breaking in two to support compliance, but the cybersecurity team is also breaking in two. We’ll talk about this phenomenon next time.
Patrick Lane, M.Ed., is a Director of Product Management for CompTIA. He manages cybersecurity workforce skills certifications, including CompTIA Security+, PenTest+, Cybersecurity Analyst (CySA+) and CompTIA Advanced Security Practitioner (CASP+).
He assisted the U.S. National Cybersecurity Alliance (NCSA) and the Director of Cybersecurity Policy at the National Security Council (NSC) to create the “Lock Down Your Login” campaign to promote multi-factor authentication nationwide. He has implemented a variety of IT projects as a network administrator, systems administrator, security analyst and security architect.
Patrick is an U.S. Armed Forces Communications and Electronics Association (AFCEA) lifetime member, born and raised on U.S. military bases. He has assisted the Defense Information Security Agency (DISA) with scalable SIEM techniques from the private sector, and has authored and co-authored multiple books, including Hack Proofing Linux: A Guide to Open Source Security (Syngress/Elsevier). Patrick has received certifications in CompTIA Network+, Security+, (ISC)2 CISSP, and Microsoft MCSE.