Episode details:

In this episode of Agent of Influence, Nabil is joined by Marc Rubbinaccio, Senior Compliance Manager at Secureframe, who explores how to strike a balance between security and compliance. They discuss the most important cybersecurity compliance frameworks to consider, proactive tips for staying ahead of the regulatory landscape, and the relationship between penetration testing and governance, risk, and compliance (GRC).

Show notes:

What are ways organizations can stay compliant without sacrificing the maturity of their security program?

The idea that compliance does not mean security is a commonly held belief among experts in the field. Marc believes that compliance can lead to security, with the caveat that there is no such thing as being 100% secure. For established corporations with mature security programs, compliance can often feel like a check-the-box exercise, however, “SOC 2 [and] ISO 27001 frameworks are an amazing way for startups and small businesses to build a baseline security posture that they can not only be proud of, but also be confident that their customer data is indeed secure.”

What can organizations do to better prepare for changes in PCI DSS 4.0, and what can they do to achieve seamless compliance?

According to Marc, significant changes to PCI DSS 4.0 include:

  • Stricter multi-factor authentication
  • Stronger password security requirements
  • Brand new controls and requirements throughout the report and Self-Assessment Questionnaire (SAQ)
  • Customized approaches

To proactively prepare for these changes, Marc recommends downloading and reviewing the new reports from the PCI Council website. It’s also important to understand which controls are best practices and which are required by 2025.

“I would recommend reaching out directly to your Qualified Security Assessor (QSA). Your QSA is familiar with your environment, audited your environment in the past, and they can help you prepare for your first for 4.0 audit. They’ll understand exactly how the changes may affect your service and environment and will help guide you towards implementation and configuration for the new version.”

Regulatory compliance is an ever-evolving space. What are your tips for keeping up?

Marc recommends organizations focus on the frameworks that they’re currently adhering to or ones that are affecting their industry. The strongest and most powerful tool, though, is your auditor. 

“Your auditor would be able to explain to you exactly what had changed, and specifically if those changes may affect your environment and your implementation as it stands today.”

What compliance frameworks do you recommend people start with if they’re building a security program from the ground up, or if they’re inheriting a security program?

One commonality among all startups and small business is how they store, process, transmit, even impact the security of their customers’ data. Thankfully, there is a solution to building a baseline security program that also builds trust with customers and even enables sales for prospective customers: compliance. HIPAA and PCI DSS come to the forefront, but SOC 2 and ISO 27001 do a great job of helping you establish that baseline security program.

“These frameworks are also built to help ensure that your current security program is configured properly, ensuring that security groups and firewall rules only allow required traffic, monitoring for specifically defined security metrics, and the entire scope of your service is included in a vulnerability management program.”

Secureframe is a NetSPI partner. Can you talk about the intersection of penetration testing and GRC and how you see pentesting supporting GRC initiatives and vice versa?

With compliance frameworks like PCI, FedRAMP, and HITRUST requiring penetration tests annually or when significant changes occur, Marc sees a major overlap between penetration testing and GRC compliance initiatives.

“I personally think it’s time to require social engineering engagements as a compliance requirement. Phishing and social engineering is easily the number one way attackers gain access to data and credentials. People are likely your weakest security link, so it’s important to do what you can to mitigate the chances of a successful social engineering attack. Having an offensive security firm like NetSPI perform a custom social engineering engagement is a great way to do so.”

Marc enjoys traveling and loves to snowboard. He’s also been training in Brazilian jiu jitsu for six years! If you’d like to keep up with Marc, connect with him on LinkedIn.