Secure Configuration Management

What is security compliance and why is it important?

Fabian Faistauer
Director, Head Cybersecurity Technology & Transformation, PwC Switzerland

Jannis Louw
Manager, Cybersecurity Technology & Transformation, PwC Switzerland

In this blog post we look at security compliance and its benefits ‒ not just in terms of assuring formal compliance with regulations, but also as an effective means of safeguarding and boosting business performance by enhancing an organisation’s awareness and management of security-related threats.

Organisations are finding themselves under growing pressure to protect information. Not only do regulations protecting personal and sensitive business-related data keep on coming, but they’re also getting broader in scope. The obligation to be “compliant” no longer affects traditionally highly regulated industries such as healthcare and banks only.

With the General Data Protection Regulation (GDPR) already in place and the Swiss Data Protection Regulation coming into force in autumn 2023, basically any organisation handling regulated personal data must ensure a certain level of data security. Added to this, any entity that accepts, processes, stores or transmits credit and debit card information must comply with the PCI DSS. If a security incident occurs, there are hefty sanctions for non-compliance.

The fines imposed by regulatory bodies for a failure to meet the requirements for protecting information such as personal identifiable data, payment cardholder data and patient health data are significant, and entail additional costs long after the incident has occurred.

Cybersecurity and Privacy

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

Potential losses can go way beyond fines

Even without sanctions, a data breach on its own can cost an organisation millions through the loss of sensitive business data or reputation and the costs of recovery. According to PwC’s 2023 Global Digital Trust Insights, in the last three years one in four companies globally has suffered a data breach costing them USD 1 to 20 million or more.

Radical changes in the way modern companies operate have also brought about a shift in the risk and threat landscape. The playground for cybercriminals is now much broader. The ability to keep track of information and IT assets (and making sure they’re securely configured), important changes in systems and changes in the applicable regulations is business critical. This is where well-coordinated security compliance management comes in:

Limiting the downside and increasing the upside

It's not about being compliant for the sake of being compliant. Security compliance management enables you to assure a good level of security in line with industry good practice standards such as ISO 27001, COBIT and NIST-800 series. It also allows you to manage data and information properly, protect your reputation, prevent security incidents and mitigate the potential damage if incidents do occur. All in all, security compliance boosts and protects your business performance by helping you build good cybersecurity and risk management practices into your organisation’s culture.

So what is security compliance?

Security compliance means conforming with a given set of security requirements (usually imposed by regulatory authority or law) for protecting the confidentiality, integrity and availability of data. Such requirements, often referred to as security controls, apply to any organisation that stores, processes or transmits that data and are based on best practices and security guidelines. They set the ground rules for the use and configuration of security mechanisms for protecting an entity’s data.

Security compliance management is the process of monitoring and assessing systems, devices, and networks to ensure they comply with the security requirements and industry standards. The security controls are based on best practices (e.g. CIS Benchmark) and security guidelines.

What areas does security compliance management need to address?

Governance

It’s important to establish effective IT governance to identify what IT assets are in scope and clearly define roles and responsibilities for compliant data processes.

This is a key step for organisations that don’t already have a security compliance management system to keep track of the security controls that are in place and monitor updates and changes in the applicable regulations. It’s also important because a lack of a governance foundation leads to a lack of enforcement power. And without proper governance, there can be no clear ownership and coordination of the security compliance assessment process to ensure that the right stakeholders and functions are involved.

Process integration

Organisations need a process framework with a different angle on IT monitoring, event management and incident management. Effective security compliance management entails implementing policies and continuously monitoring controls, processes and applicable regulations and standards. It should also include internal assessments and periodic audits to review controls and processes on an ongoing basis.

Process integration is an important step for organisations whose security compliance processes are not aligned with the business context. It’s also a necessary part of ensuring adequate management of information assets and inventory to provide the necessary information on the scope of compliance management. Last but not least, it makes sure the right stakeholders are accountable and required to act in the event of non-compliance.

Automation and software tools/tool integration

Implementing software tools to automate repetitive tasks saves a lot of time and allows your specialists to focus on other matters. Tools are available to automatically generate regular compliance reports to monitor the effectiveness of risk-mitigating controls or centrally update changes in frameworks and regulations. The crucial step is to fully integrate the solution in your existing landscape so that you have a single centralised dashboard showing all the assets and controls in scope. These systems are also useful for audit purposes.

A good example is security configuration management software enabling the continuous monitoring of secure and up-to-date information system configuration. Some vendors also offer a complex compliance management solution. On top of that, SOAR (security orchestration, automation and response) solutions offer a single platform for coordinating, executing and automating tasks between different tools.

Acquiring and integrating automation and software tools is particularly beneficial for organisations expending a large amount of manual effort on managing compliance or where there’s a lack of integration with information asset register and monitoring tools. It often involves addressing situations where poor data is leading to a low degree of automation.

The path to successful security compliance management

To successfully establish a security compliance management system it’s crucial to closely coordinate your resources, activities and people. We at PwC have developed an approach that can be applied to organisations at any point on their security compliance management journey.


We assess your current compliance and configuration monitoring capabilities and show you the benefits of an effective and integrated framework.

  • We identify the scope in terms of IT estate, data types and the applicable regulations and standards. We take into consideration the types of data transactions, as well as the laws of countries and territories data accesses and the countries of residence of data subjects.
  • We assess the gaps between as-is and the compliance requirements. We help you prioritise the identified gaps as a baseline to ensure a priority-focused transformation process. This is done by conducting risk and vulnerability assessments to provide the necessary information on the most critical security flaws and give a clearer picture of which controls are already in place. An overview of all business, IT and information security risks is fundamental for building effective security compliance management.

We help you design the target architecture and integrated process. This includes defining the relevant roles and responsibilities. We can also help you evaluate the right tools and integrate them into your existing landscape.

  • We define a target state and a target operating model covering the relevant processes, tooling and governance. We document all the decisions and processes in policies and internal standards.
  • We agree on a gap-closing plan and on the sourcing options (make or buy).
  • We implement the defined compliance management processes and integrate the chosen tools. We also put technical and non-technical controls in place based on your requirements and risk tolerance.

You can read more about security transformation and how our project management-based approach can be the right solution for your business in our blog.


Whether you decide to make or buy, we can offer you the option of managing the whole compliance and configuration monitoring life cycle on your behalf. This will enable you to prove and maintain compliance with your internal and external stakeholders. Our role can include:

  • Handing the established control framework over to your business and IT people
  • Verifying that defined controls are in place and effective
  • Establishing a dashboard and reporting set-up for continuous monitoring of compliance
  • Running the implemented processes, such as regular risk and vulnerability assessments, as well as the integrated tools
  • Helping you to prepare for an external audit/independent third-party assurance service to verify compliance
  • Helping you establish a process for the regular review, testing and modification of implemented controls and processes.

Are you sure you’re compliant?

As information technology continues to develop, society is increasing the pressure on organisations to protect the data they hold. For modern enterprises with very complex structures and a broad business focus that often operate in multiple countries, staying up to date with regulations and standards is a real challenge. But it’s a challenge you don’t have to face on your own. There are specialists out there who can help you implement an effective security compliance management system to protect both your own and your customers’ data. That way you avoid financial sanctions, mitigate the damage caused by a potential data breach and, most importantly, build trust in your business.

#social#

Contact us

We help clients increase the security of their systems and comply with security standards and regulations. Reach out to us if you have any questions or would like to talk about your plans and needs.

https://pages.pwc.ch/core-contact-page?form_id=7014L000000DY4xQAG&embed=true&lang=en

Contact us

Fabian Faistauer

Director, Cybersecurity Technology & Transformation, PwC Switzerland

+41 58 792 13 33

Email

Jannis Louw

Manager, Cybersecurity Technology & Transformation, PwC Switzerland

+41 58 792 15 92

Email

Building trust to succeed

Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.

Explore our offering