At Compliance Week’s Virtual Cyber Risk and Data Privacy Summit on Wednesday, Rachael Pashkevich Koontz, senior cybersecurity compliance advisor at telecommunications company T-Mobile, shared her thoughts on certifications of cybersecurity and programs that may be suitable for certain organizations.
Like many projects, improving cybersecurity controls in a company first requires resource support that compliance officers often struggle to receive. Koontz offered three ways to demonstrate the value of a certified cybersecurity program.
“First, are your customers currently asking for it?” she says. “…It’s a little reactive, but if your customers demand it, you can say, ‘Look, customers demand it; We need to.”
If customer demand isn’t an available sticking point in your business, Koontz suggested next looking at your competitors and determining if their customers have made similar demands. A competing company leveraging the value of its certifications is an easy way to raise eyebrows in the C suite.
“I’ve seen deals made because my company had a certification that my competitors didn’t,” she said. “It may sound funny – it’s a safety certification – but for customers it’s important.”
Third, Koontz noted growing demands from cybersecurity insurance providers for companies to prove they have security controls in place to maintain coverage.
“The way everything matures, we’re going to have to start proving it anyway, so let’s get ahead,” Koontz said.
But what does getting ahead look like? Once the foundational elements of your program are in place (policies, procedures, training requirements), how should your company determine which certification to pursue?
The process is different for every company, Koontz noted, with varying risk considerations shaping the decision. A popular starting point is the National Institute of Standards and Technology (NIST) Cybersecurity framework, which is a guide designed for self-attestation. The NIST framework is free and technically focused, helping companies understand the fundamentals of critical infrastructure cybersecurity while maintaining the flexibility to grow beyond its requirements.
“NIST is a great place to start integrating your controls or mapping to a framework,” Koontz said. “Once you are confident in your abilities there, I would recommend upgrading to an externally validated certification.”
This certification could be ISO27001, SOC 2 (Type I or II)or the Cybersecurity Maturity Model Certification (CMMC), depending on your needs, your customers, your geographical footprint, etc. And those are just a few options; Koontz noted that a good place to start with any certification is to take a course to become an internal auditor on the requirements to prepare for what external auditors might look for when testing your controls.
Be proud of your certified program
Once you’ve received a cybersecurity certification, make sure your customers are aware of the achievement, Koontz advised. “It always amazes me when someone works so hard to get certified and doesn’t put it on their website or tell customers about it before they ask for it. It’s a differentiator for your business,” she said.
Koontz shared his personal appreciation for the way Amazon Web Services (AWS) advertises its certifications on its compliance page, where it claims the standards to which the company complies, broken down into certifications and attestations; laws, regulations and privacy; and alignments and frames.
“Not everything on this page is a certification; part of it is a self-attestation where [AWS] says, “Hey, we are aware of this law and we respect it,” Koontz said, reiterating his point as an outside observer. “I think it’s great for customers to build that trust.”