Flip the script on the traditional hacking scene in a movie: Instead of the camera panning down lines of output from a command prompt executable, the camera pans across a spreadsheet of cybersecurity controls. Instead of a lone hacker furiously typing in a dark basement, a cybersecurity compliance officer calmly convenes a series of meetings across engineering, legal, and IT teams, ensuring adherence to safety measures, enforcing due diligence, designing threat management plans, and identifying appropriate processes to ensure baseline cybersecurity across the enterprise. And lastly, imagine dramatic orchestral music playing before the breach or incident, as the compliance officer discusses how to upgrade a company's business continuity planning.
Amid the ongoing policy push to implement the comprehensive National Cybersecurity Strategy and manage risks posed by AI, cybersecurity compliance officers, together with other specialists like cybersecurity attorneys, network engineers, IT personnel, and technical writers, form the core of cybersecurity. Through day-to-day decisions on implementation and compliance, these experts work to translate cybersecurity controls to specific actions and to assess internal alignment to policies. Implementation and compliance not only underpins the existing tools, services, and systems in place to protect against vulnerabilities and data breaches, but also the efforts to embed security within novel technologies, such as those enabled by AI.
Why Are Compliance Officers Important?
Cybersecurity compliance officers build relationships, translate the language of controls into action, and communicate across business units — and companies big and small need to invest in trained compliance officers within their organizations.
"At the end of the day, being able to communicate across the enterprise allows everyone to buy in," explains Kelly C. Ellis, a compliance officer with 17 years of experience. "A conversation with an attorney over data privacy may lead to a discussion with an engineer over system configuration management."
So much of cyber and information security comes down to nitty-gritty "cyber safe" practices, processes, and organization within teams, companies, and institutions. Tools like the Institute for Security and Technology's Blueprint for Ransomware Defense — a curated subset of essential Safeguards derived from the Center for Internet Security Critical Security Controls v8 aimed at small and midsize enterprises — can help ensure preparedness across a range of organizations. The Blueprint offers a specific example of how concrete recommendations to increase an organization's baseline cybersecurity can help alleviate the risk of cyberattacks by distributing the burden of security across an interlocking network of stakeholders. But in order to defend against ransomware attacks, the Blueprint's recommendations need to be implemented and monitored properly by cybersecurity compliance or IT teams within organizations. When done right, a diverse team with complementary responsibilities builds necessary redundancy and catalyzes safety at the organizational level.
Future of Cyber Safety
As we apply the latest cybersecurity principles to today's technological environment, we must also look toward the future. Principles like "secure by design" not only underpin the effectiveness of modern cyber-safe practices but also provide a framework through which to view the integration of security and innovation. As AI systems train on data derived in part from personal information and create outputs with wide-reaching impact, the development and implementation of such security frameworks becomes more crucial than ever. Not only will AI supply a range of new cybersecurity and compliance tools, but also, as AI tools and systems roll out within organizations, cybersecurity compliance officers and teams will be the ones applying standards and controls to these systems.
"Not only are compliance officers responding in real-time, but they are also responding to new situations that they've never seen before with requirements that haven't changed," Ellis says. "How do you translate concepts like ownership of data, definitions of data privacy, and appropriate data handling processes to AI systems and tools?"
Historically, market incentives have allowed organizations to treat security as an afterthought. Without a significant shift in existing market incentives that drive development of more secure products and services, cybersecurity experts focused on implementation and compliance will continue to play a critical role in enforcing safety at the frontier of innovation. These teams, by adapting and responding to the implementation and compliance needs of technological advancements, shape the future of the AI security field. With the increased integration of AI systems with tools and services that rely on personal identifiable information and other sensitive data, the stakes have never been higher.
As we continue to develop cybersecurity policy, we must remember that it takes a diverse village of experts to enact effective cybersecurity guidelines, practices, and processes. In an age of increased risk and nascent national policies, boots-on-the-ground individuals like compliance officers are critical to ensuring the safety and security of the systems we rely on in every aspect of our lives.