An XKCD comic strip shows two tech workers frustrated that there are 14 competing standards for a variety of use cases. “We need to develop one unified standard that covers everyone’s use cases,” they say. The next frame shows that there are now 15 standards instead of one.
Brad Arkin, the chief security and trust officer at Cisco, will tell you that this illustration of how standards proliferate hits uncomfortably close to the truth. “Everybody is trying to come up with their own set of security controls that they would like to see SaaS applications adhere to,” Arkin says. Such commendable goals notwithstanding, enthusiasm for being the defining standard for SaaS security compliance instead creates a confusing jungle of competing ones: ISO 27001, SOC, CS in Germany, IRAP in Australia, and ISMAP in Japan, to name just a few.
“[The European Union’s GDPR] set the template and a variety of geographies have followed,” says Doug Ross, practice VP of insights and data at Sogeti, part of Capgemini. “We can easily see the number greatly increasing over the next 18 to 24 months. The regulatory environment is getting much more complicated by the day.”
Ross adds that the problem arises not just in the delivery of services but in disaster recovery and business continuity operations as well. “If you need something that is GDPR compliant, you’re not going to be able to bring up that data in Singapore, for example,” Ross says.
Such complications spell problems for companies such as Cisco – the enterprise conducts business in more than 100 countries – who have to jump compliance hoops every time a new certification standard is introduced. Compliance fatigue results from every team having to go through the same cycles of walkthroughs, interviews, and the audit process over and over again.
Cisco’s cloud control geo-certification solution
To resolve the challenge of drowning in geo-certification compliance, the company launched the Cisco Cloud Controls Framework (CCF), a complete set of requirements designed to meet industry certification standards. It provides a set of controls for global market access to Cisco SaaS business entities, along with guidance on implementation. The project was a recent CSO50 award winner.
In researching CCF from a resource optimization point of view, the team found that certifications typically fall into two tracks: government and commercial. In addition, the commercial standards – CS for Germany, IRAP in Australia, ISMAP in Japan – “are largely using the same control set in sometimes different language and different levels of detail,” Arkins says.
They lent themselves well to abstraction – a set of controls that could be complied with and incorporated into a framework for easy access across multiple business units. Extensibility was a key feature as the number of certification requirements is a moving target, Arkin says. “There are always going to be developing standards and the existing ones are also evolving, so we had to ensure CCF kept an eye on them and changed them over time. If it were set in stone, it wouldn’t be useful for too long,” he says.
Finding consensus among different business units with competing visions for how to achieve compliance, was an early challenge. A cross-functional Change Advisory Board with representatives from each unit helped iron out wrinkles.
Cloud Control Framework in action
At its core, the problem of geo-certifications is “a business challenge with a technical solution,” Ross says. Recognizing this, Cisco evaluates every new certification that crops up, from the return on (time) investment point of view: Would it make business sense to pursue this? If it does, the new certification requirement is mapped thoroughly to understand which parts might already be included in the CCF framework. Those that are not are taken on and incorporated with generic controls that capture the new standard.
As the process proceeds, Cisco expects fewer iterations as most conditions will already have been met by the CCF framework. “We’re trying to get out of the way of the engineers so they can focus on customer problem-solving,” Arkin says.
Advantages of a centralized approach to compliance requirements
Before CCF, which launched in January 2021, teams were following their own protocols for compliance and reinventing the wheel quite often. One of the advantages of CCF, Arkin says, is that the framework has become a one-stop shop to understand compliance requirements, no matter where the standard originates.
Especially important, the CCF also addresses the security – not just the compliance – parts of the equation. One of the goals of the project being worked on is to incorporate compliance checks into security tooling.
CCF has allowed Cisco teams to scale more easily by taking advantage of overlaps between requirements of different certifications. Streamlining the process has led to less audit fatigue and lower related fees. “We can respond to customer requirements and it’s not a big burden anymore,” Arkin says.
Words of advice on security and privacy compliance
The CCF framework is an open-source tool, which means others can make use of it as needed. Arkin’s word of advice to CSOs: Make sure everyone understands the relative priority of these tasks – not just engineering, or HR or compliance. All of them have to work together. Also, hire a single audit firm. Otherwise, you have three different forms bumping into each other, asking the engineers the same questions over and over again.
Ross agrees. “You really need your chief privacy or information officer and your general counsel to be weighing in on this and steering the vehicle in the right direction,” he says. Another piece of advice: “Ensure your audit trails are robust, reliable, and can’t be tampered with. It helps prove you’ve followed the dictates should an incident actually happen.”
In the future, Arkin hopes to accelerate the pace of compliance. “Once we have the framework down, that is the big opportunity – to accelerate the work we’re doing,” he says.
The underlying premise behind CCF can readily translate to pretty much any business problem which involves unnecessary repeat labor. “The key word here is ‘convergence,’” Arkin says, “if we have 70 teams going about 70 unique ways to solve the same exact problem, I aspire to have a single tool that will solve that problem once and do it really, really well.”