The bar for proving your company is serious about cybersecurity is rising. Simply having a policy in place without taking steps to assess risks or test exposure is no longer an option.

At Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Wednesday, Rachael Pashkevich Koontz, senior corporate counsel of cybersecurity compliance at telecommunications company T-Mobile, shared her opinions on cybersecurity certifications and which programs may be right for certain organizations.

Like many projects, improving cybersecurity controls at a business first requires resource support that compliance officers often struggle to receive. Koontz offered three ways to demonstrate the value of a certified cybersecurity program.

“One, are your customers requesting it currently?” she said. “… It’s a bit reactive, but if your customers are demanding it, you can say, ‘Look, customers are demanding it; we have to do it.”

Cyber Risk Rachael Pashkevich Koontz

“I have seen deals go through because my company had a certification that my competitors didn’t,” said Rachael Pashkevich Koontz, senior corporate counsel of cybersecurity compliance at T-Mobile, during her fireside chat on cybersecurity certifications at CW’s virtual Cyber Risk & Data Privacy Summit.

If customer demand isn’t an available sticking point at your business, Koontz suggested next looking at your competitors and whether their customers have made similar demands. A competing business leveraging the value of its certifications is a simple way to raise the C-suite’s eyebrows.

“I have seen deals go through because my company had a certification that my competitors didn’t,” she said. “It might sound funny—it’s a security certification—but to customers, it matters.”

Third, Koontz noted the rising demands of cybersecurity insurance providers for businesses to prove they have security controls in place to maintain coverage.

“The way everything is maturing, we’re going to have to start proving it anyway, so let’s get ahead of it,” Koontz said.

But what does getting ahead of it look like? Once the foundational elements of your program are in place—policies, procedures, training requirements—how should your company determine which certification to pursue?

The process is different for every business, Koontz noted, with varied risk considerations shaping the decision. A popular starting point is the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which is guidance designed for self-attestation. NIST’s framework is free and technical-focused, helping companies understand the fundamentals of critical infrastructure cybersecurity while maintaining the flexibility to grow beyond its requirements.

“NIST is a great place to start to build in your controls or map yourself to a framework,” Koontz said. “Once your confident in your ability there, I would recommend moving on to an externally validated certification.”

That certification might be ISO 27001, SOC 2 (Types I or II), or the Cybersecurity Maturity Model Certification (CMMC), depending on your needs, customers, geographic footprint, and more. And those are just a few options; Koontz noted a good place to start regarding any certification is to take a course in becoming an internal auditor on the requirements to help prepare for what external auditors might look for when testing your controls.

Take pride in your certified program

Once you have received a cybersecurity certification, make sure your customers are aware of the accomplishment, Koontz advised. “It always blows my mind when someone works so hard for a certification and doesn’t put it on their website or tell customers until they ask. That is a differentiator for your company,” she said.

Koontz shared her personal appreciation for the way Amazon Web Services (AWS) advertises its certifications on its compliance page, where it boasts the standards the company complies with broken out by certifications and attestations; laws, regulations, and privacy; and alignments and frameworks.

“Not everything on that page is a certification; some of it is self-attestation where [AWS] is saying, ‘Hey, we’re aware of this law and we’re meeting it,’” Koontz said, reiterating her perspective as an outside observer. “I think it’s great for customers to build that trust.”