The Public Sector Playbook for Establishing a Culture of Compliance


By Hugh Barrett, Chief Product Officer, Telos Corporation

The need to achieve cyber compliance has never been greater. Cybersecurity regulations and frameworks are continuously being revamped, readjusted and recreated. With new requirements emerging each year, it has become crucial for organizations to build compliance directly into their DNA. What companies need to understand is that compliance is more than checking a box – not only does it mean meeting necessary requirements, but it positively impacts their bottom line. Even the administration’s National Cybersecurity Strategy discusses how effective regulations have the power to minimize the cost and burden of compliance.

Understanding that a culture of compliance brings numerous benefits like increased trust, employee engagement and reduced risk begs the question: Why isn’t everyone doing it? The answer is that although cultivating a compliant culture seems like a no-brainer, it isn’t always easy – it requires significant organizational buy-in and adjustments.

Enter the public sector. Due to the volume and evolving nature of regulations impacting the sector, there are many lessons for business leaders to learn about how to approach compliance.

Understanding what the public sector is up against

Regardless of industry or sector, all organizations are at risk of cyber threats; however, federal agencies face heightened challenges as they possess extensive sensitive data and information that adversaries are hungry to get their hands on. The prospect of a cyber incident that impacts government systems comes with both national security implications, as well as the potential for significant harm to the public’s trust. One incident can severely shake trust in both the government’s capabilities to function, as well as in political leaders themselves — not to mention the costly ramifications of putting projects and initiatives on hold until the incident is remediated. Threats to the public sector can potentially have catastrophic consequences, so compliance efforts have been instituted to push them ahead of threats that might otherwise stop the function of government.

With a responsibility to every citizen of the United States, the public sector must maintain a strict adherence to cybersecurity compliance standards. This dedication to protecting data is something that the private sector can learn from instituting its own rigorous approach to compliance.

Implementing a Culture of Compliance

By taking actionable steps to mirror government processes, private sector companies can find support and a clear path forward in promoting a culture of compliance.

As the public sector has much to teach in the realm of compliance, information sharing is critical to mission success. Gaining insights from how other organizations structure their path to compliance will significantly benefit private sector organizations. Exchanging intelligence and best practices enables all organizations to stay at the forefront of compliance endeavors. Knowledge-sharing helps organizations gain unique perspectives and support deploying the most effective practices. In order to increase industry collaboration, organizations should consider public-private partnerships, industry associations and working groups aligning to the company’s mission. Organizations should also consider relevant ISACs, member-driven organizations geared towards cross-sector partnerships and collaboration.

In addition to collaboration, one of the most important pieces of compliance is proactive monitoring. What this means is that organizations must continuously monitor their network, systems, applications and data to prevent security incidents before they occur. It’s not an easy job – it can very easily cause audit fatigue, opening up risks for human error and burnout, which is why automation is key. Government organizations use automated cyber risk management solutions to continuously manage their cyber risks and ensure necessary regulations and policies are being met. As we know, there is no shortage of regulations to follow, and they’re continuously evolving, making automation a necessity for both government and commercial markets. By automating compliance and ensuring up-to-date provisions are made to stay on top of changes, organizations can employ real-time responses and adjustments to any relevant regulatory changes.

Beyond the guidelines mandated by governing bodies, the public sector also follows strict training processes to ensure its workforce is prepared to uphold standards and address security risks. Training and development opportunities empower employees to feel engaged in their organization, and providing these opportunities continuously ensures that employees are abreast of the most updated compliance policies and procedures. One example is (ISC)², a nonprofit that provides a multitude of resources to fit training needs and strengthen cybersecurity education. Promoting compliance training and development will emphasize employees’ importance in being mindful of regulations while establishing a top-to-bottom culture of compliance.

In order to establish a company culture that embraces compliance efforts, organizations across government and commercial markets must prioritize industry collaboration, continuous and automated monitoring and effective employee training/development programs. When combined, these three components create a holistic compliance environment that mitigates risks and contributes to the bottom line.

No organization has the golden key to compliance.  We can all learn from each other, apply what is relevant and continue to do our best in securing our organization’s systems, data and reputation.