A continuous assurance model plays an important role in a robust cybersecurity program. At Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Tuesday, a panel of cybersecurity experts shared best practices for achieving continuous assurance and getting necessary buy-in.

“Security is a team sport—something that should be done by design and on a regular cadence, not just something done to check the boxes just to make your auditor happy,” said Casey Allen, chief information officer at Concentric, a cybersecurity risk management firm.

Panelists shared the following specific measures toward achieving a continuous assurance cybersecurity model:

Tie KPIs to performance reviews. One way to build a robust cybersecurity program and ensure it becomes a shared responsibility is to tie key performance indicators (KPIs) to people’s performance reviews. In a continuous assurance model, tying KPIs to the risks and controls people own “becomes a much more long-term sustainable security model and enforces the fact that security is a team sport and everybody has a role to play,” Allen said.

Shift the culture. Often, the attitude around cybersecurity and compliance is “we have a team that does that stuff, so we don’t have to worry about it,” said Aaron Poulsen, senior director of information security, risk, and compliance at software vendor Hyperproof. “In fact, everyone has to worry about security and compliance.”

Part of shifting culture means helping employees understand why cybersecurity is necessary, rather than simply focusing on what cybersecurity is and how to implement controls, Allen said. “If you want something to stick, that is what you need to focus on doing better,” he said.

“Always tie it (cybersecurity) back to risk. Risk is one of the few common lexicons we have to communicate across business functions.”

Casey Allen, Chief Information Officer, Concentric

Tie cybersecurity risks to job function. “We also need to rebrand ourselves from a cost center to a business enabler,” Allen added.

“Always tie it back to risk,” he said. “Risk is one of the few common lexicons we have to communicate across business functions.”

Every business goal has risks attached to it, Poulsen said. So, mapping cybersecurity threats to a specific job function and communicating how risk potentially can prevent someone from doing their job helps drive home that message, he said.

Write an engaging cybersecurity policy. Beware of poorly written risk statements, Allen cautioned. Framing a story around a particular cyber risk helps.

“If X, then Y. If this, then that,” he said. For example, rather than just citing ransomware as a threat, explain what would happen if the organization were to be the victim of a ransomware attack. “That helps tell the story.”

Anecdotal stories also help, Allen said. One example is citing a ransomware event that happened to another company and asking, “What if this happened at our organization?”

Use technology as a force multiplier. In addition to people, processes, and policies, technology is a “force multiplier” of a continuous assurance cybersecurity model, Allen said. Organizations that don’t have a dedicated security team need to make the most of technology to clone themselves and get more done with fewer people, he said.

Moreover, having the right platform in place to move toward a continuous assurance model “helps to democratize cybersecurity and make it more accessible throughout,” Allen added.

People, processes, and technology are the “three-legged stool” of a continuous assurance cybersecurity model, said Kyle Spohn, director of IT risk at 3M Health Care. “If any are out of balance, you’re going to tip over.”

Spread audit activities throughout the year. Rather than go through a painful annual audit, consider spreading it out across the year. “Executive leadership teams know how intrusive an audit can be,” Poulsen said.

Constraining audit activities to a few weeks forces everyone to run around and frantically get an understanding of the firm’s security posture at the same time as the auditors. “That’s the absolute worst-case scenario, but I’ve seen it repeat itself over and over again,” Poulsen said.

“If you’re able to communicate the value of going through an audit certification cycle—which is really a 365-day project—and tie that to risks,” Allen said, “and if you can show risk owners why continuous assurance is in their best interest, it helps to get the buy-in that is necessary.”