Why a compliance strategy should be important to executives

TL;DR SOC first, then HIPAA/PCI-DSS, then ISO 27001, then HITRUST, then anything NIST-based other than FedRAMP, then FedRAMP.

TL;DR part 2, ones you can wing yourself: CSA Star level 1, COBIT, NIST CSF.

When I first started working on engagements with clients, one thing I noticed immediately is that one does not so much decide to meet compliance as have it inflicted upon them. Compliance is, for many businesses, like a communicable disease. It’s something you “get.”

For example, people come down with PCI-DSS when they store, process, or transmit card holder data (CHD.) This is a dramatic reenactment of a shop that had to meet PCI-DSS:

I propose that, as an executive leader in your organization, you instead shift to a point of view where compliance is an enabler. In the same way that it would be problematic to ski without skis, it would be difficult to take your products and services to market without certain compliance frameworks. Any shop currently undergoing FedRAMP immediately just nodded when I said that.

What does compliance as an enabler mean? It means that you place the most effort in meeting those compliance frameworks that get your products to the markets that have the highest likelihood that your sales force can sell them. In the same way your grandmother used to enable your cookie access when you visited her, your compliance frameworks can get you into regulated markets that require those frameworks to be met in order to sell there.

Examples of compliance frameworks that are enablers include SOC 2, HITRUST, FedRAMP ISO27001, and others. They get you contracts, or access to marketplaces.

If we then agree that compliance can be an enabler and not an affliction, then we agree that it probably matters the order in which you pursue them right? Much in the way you cannot effectively do math without the order of operations. For examples of how doing math without a plan is bad, I present this for your viewing pleasure:

OK, so stay with me here. If you agree that compliance is an enabler, and you also agree that it’s important to have sound strategy around important business decisions, then you should also agree that having a strategy around the order of operations for your compliance is important.

If you need a live example of why this is important, just try to go from no compliance to FedRAMP. If you’ve ever heard that tech companies “build the plane in flight”, then going from no compliance to FedRAMP is like building the plane in flight while you are also trying to build the runway on which you land, and also you randomly have people falling out of the plane because it has no doors, and also it’s on fire.

I’ll wait here while you try to go from no compliance to FedRAMP…

But you know what happens when you google “overall compliance strategy?”

You get this for a result set.

The Internets don’t really have a lot to offer you in terms of building a cohesive compliance strategy. Strategy is very important. Even the Roadrunner and Wile E. Coyote utilize a cohesive strategy for how they operate together. See here:

This is where cloud security consulting firms come in. I feel like I can say that unironically, because at this point I’ve worked at three of them. I think one of the most undervalued things a decent firm brings to bear is strategy. Simply put, we’ve helped take people to market over, and over, and over…and over.

This is how many times we’ve taken clients to market, in pancake form:

I gave you a TL;DR with the order of operations for compliance (in my opinion) if you didn’t want to suffer through my many pop culture references. Business people call that a “value add.” That’s a strange way of saying I gave you something that made things at least marginally better.

If you would like to know more about building a cohesive compliance strategy around which products to take to market, in which order, and which compliance frameworks you would need to do that, we at ScaleSec are also available in a pop-culture reference free version for a nominal fee.