Scorpion Five Technologies logo featuring a stylized geometric scorpion in shades of green above the company name, with “SCORPION FIVE” in bold dark green uppercase letters and “TECHNOLOGIES” below in bright lime green.
Let's Talk

clever–tenacious–precise

7 Things Managers Should Know About Cybersecurity Compliance

Business professionals discussing cybersecurity compliance strategies during a meeting, with a presentation screen in the background displaying the words "Enhanced Cybersecurity Measures."
View Cybersecurity Services from S5T

Key Takeaways

  • Regulations vary by industry: Know which frameworks (HIPAA, NIST 800-171, PCI DSS, etc.) apply to your business.

  • Audits are inevitable: Federal contracts, healthcare, and financial services may trigger external audits; others may face internal or partner-driven reviews.

  • Data identification is critical: You must classify and protect sensitive data types like PII, PHI, and CUI across their lifecycle.

  • Governance requires visibility: Build a comprehensive asset inventory—devices, networks, and repositories—to track where data resides and flows.

  • System Security Plans (SSPs) are non-negotiable: Treat SSPs as enterprise-wide strategies, not check-the-box documents.

  • Balance compliance and flexibility: Avoid vendor lock-in by carefully evaluating commercial and open-source solutions.

  • Neglecting compliance has real costs: Breaches, fines, reputational harm, and even business failure are common outcomes of weak cybersecurity practices.

Introduction

Cybersecurity compliance is no longer just an IT issue. It’s a business imperative that affects revenue, partnerships and long term trust. Whether you operate in a regulated industry or serve customers with high value data, you need to know which rules apply and how they impact daily operations.

The problem is the compliance frameworks and the cyber threats they seek to mitigate are complex and ever changing. Managers can’t just delegate the responsibility; they need clarity on obligations, risks and strategies.

At Scorpion Five Technologies (S5T) we’ve accredited complex systems under some of the most demanding compliance frameworks, so we know how to turn tough security standards into practical business focused solutions. Here are 7 things every manager should know about cybersecurity compliance.

1. Know if You are Subject to IT Security Compliance Regulations

Your first step should be to determine which cybersecurity regulations govern your business today and to assess if those may change in the future. Table 1 lists some common industries and associated federal regulations.

Table 1. Cybersecurity compliance takes various shapes depending on your industry

Industry

Compliance
Regulation / Framework

Data/Information Type

DoD / Gov’t

NIST 800-171 / CMMC

Controlled Unclassified Info (CUI)

Federal (cloud)

FedRAMP

Unclassified

Healthcare

HIPAA, NIST 800-66

PHI

Finance

GLBA, PCI DSS, FFIEC, SOC

Financial Data

Energy

NERC CIP

Grid / SCADA Systems

Life Sciences

21 CFR Part 11, GxP

Clinical/Manufacturing Data

Civilian Agencies

FISMA, NIST 800-53

Federal Info Systems

Telecom

FCC CPNI Rules

Network Usage Data

Export-Controlled

ITAR / EAR

Technical Defense Data

There are likely state-specific regulations you will need to know about, especially concerning privacy, handling personally identifiable information (PII) and other sensitive data. Every individual has associated PII which makes it the most ubiquitous sensitive data type that needs special consideration.

Even if you are not regulated by State or Federal law, the companies you do business with may have adopted industry or Federal data protection regulations and security controls they require you to meet.

Determining cybersecurity compliance requirements from the regulations is not always trivial. The regulations may or may not provide implementation guidance so you will need to be prepared to detect your organization’s potential path to “gold plate” security policies such as access control, incident response, vulnerability management, data collection and forming security teams under the guise of industry best practices.

2. Cybersecurity Audit: Know if You are Subject to Audit—or Should Be

If your company does business with the Department of Defense, you will be required to comply with the NIST 800-171 framework for Controlled Unclassified Information (CUI). NIST 800-171 has about 100 security controls defined. The requirement to comply with the security controls comes in the form of a Defense Federal Acquisition Regulation (DFAR) 252.204-7012 which will be one of the terms in the contract between your company and the government.

DFAR 252.204-7012‘s security controls will also apply via ‘flow down’ if you are a subcontractor on a prime contract that contains this DFAR clause. Under certain circumstances some of the 7012 clause requirements might be relaxed for subcontractors depending on your role in the contract.

External compliance audits for access and handling of CUI will be required by the federal government, but the details are still evolving.

If you deal with the Health Insurance Portability and Accountability Act (HIPAA) and personal health information (PHI), government audits are not required although the Department of Health and Human Resources (HHS) may conduct a random audit of your business. Furthermore, the companies you do business with may require a third-party HIPAA compliance audit to satisfy their internal requirements.

3. Data Protection Policy: Know Your Covered Data and Information Types

While you most certainly store and transmit PII (e.g., employee data), do you also deal with PHI, controlled unclassified information (CUI), or other data types called out specifically in federal or state regulations? Do you have proprietary information that should be internally regulated or controlled?

Within your enterprise, you will need to have institutionalized (curated and trained) processes that properly identify and prescribe access to and handling of the variety of information and data throughout its lifecycle (Figure 1).  

To Protect Sensitive Data, data access and handling must be considered throughout the Information Lifecycle

Figure 1. Data Access and Handling Must be Considered throughout Its Lifecycle

The data and information types must be correlated to job roles and responsibilities to determine who needs access to what categories. Prescribing roles that need access to specific data/information categories is critical for the enterprise, and this process and its implementation needs to be well thought out (Figures 2 and 3). In terms of business optimization and flexibility, wider access is better. However, wider access must be balanced with guidelines that seek to limit access to reduce risk. For example, for PHI, HIPAA regulations state that only the least amount of PHI needed to accomplish a task should be accessed, used, or disclosed

Data protection starts by knowing what types of data and information your business creates. Cybersecurity compliance dictates that job roles be mapped to information and data types.

Figure 2. Your enterprise probably creates more information and more information types than you would expect. You should create processes and workflows that categorize generated information and map categories to job roles to govern access.

Figure 3. Your business needs robust HR processes to keep employee information current which should carryover to keeping their information access current.

4. Data Governance Strategy: Know Where Your Information and Data Exist

Identify the various assets and processes within your enterprise and how data is created, transmitted, and stored – think of this as an asset inventory. Assets include hardware, software, internal and external data repositories, networks, and personnel (Figure 3). Other considerations for data protection:

  • Have you defined which data is critical to your business?

  • Do the cloud-based software systems you use protect your data properly within their systems?

  • Does someone know when a new device is on your network?

Data protection must happen across your entire enterprise. Who views your data, creates it, changes it, and who/what stores it (temporarily and permanently)?

Figure 4. Your data moves across your entire enterprise. Who views your data, creates it, changes it, and who/what stores it (temporarily and permanently)?

5. Know the Effects of Data Protection Policy on the Enterprise

Data protection should be addressed in a System Security Plan (SSP). An SSP is not only commonly required, but it is also a core deliverable in virtually every major cybersecurity framework and regulation. In fact, once you’ve built an asset inventory, the next logical and often mandatory step is to document how each asset is protected, managed, and monitored — and that’s the role of the SSP.

Simple solutions are recommended first, such as using privacy screens on computers processing personal data that may be publicly visible. Privacy screens also help promote cybersecurity compliance by serving as a constant reminder to users to be vigilant, which can help thwart phishing attacks, for example.

Do not relegate creation of the SSP to a lower-level position that does not have enterprise-wide knowledge and visibility. There can be deep, long-lasting negative effects and expense if data protection is not approached holistically. These effects can accrue technical debt over time, become enculturated, and will be difficult and painful to fix later.

Some of the negative effects of a siloed SSP approach may manifest themselves as decreased employee morale and apathy due to additional perceived workplace bureaucracy.

To help thwart hidden or subtle issues that detract from an enterprise, consider having an executive manager that understands how the business makes revenue and who is also deeply knowledgeable and conversant on IT and IT compliance issues. This executive should have a role in understanding and reviewing key SSP processes and workflows being put into place. There are likely licensable security systems that will help streamline implementation and maintenance of data security.

A practical example is centered on software and operating system patching. Your business should be set up such that 1) IT is aware of 100% of the computers used by employees and 2) IT has 100% of the operating systems and key software set up for automatic patching. For efficiency purposes, this generally leads to the need for all computers to run the same OS and mostly the same software.

Using identical computer setups may work for some businesses, but if your business includes developing software, your software development employees will need flexibility to use various OSs for development and testing and a host of other developer tools not typically used by the workforce at large. Thus, the people conceiving enterprise processes for compliance need to also understand how various parts of the business function as to not undermine their business model or ability to be efficient in their work.

6. CIA Triad: Balance Technical Compliance with Future Flexibility

You may be tempted to license a platform or tool suite (e.g., SaaS, IaaS, or PaaS) that claims to solve many or all of your confidentiality, integrity and availability (CIA) issues. The most common examples are the big three cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These providers offer tiers of service with different cybersecurity technologies that meet various compliance specifications.

There are also integration platforms such as SAP Integration Suite, MuleSoft, Boomi, and Workato that focus on API management, integration, and application development. Below this there are thousands of products that address various elements in the tree of functionality that make up an application (Figure 5).

There is a large variety of subsystems, tools, and utilities used to create a modern software application. These elements may be obtained with a paid license, or they may be open source. Strive to balance the desire for rapid cybersecurity compliance and potential long-term commitment to a particular vendor with the ability to change your approach in the future.

Figure 5. There are a variety of subsystems, tools, and utilities used to create modern software applications that may be obtained with a paid license, or they may be open source. Strive to balance the desire for rapid cybersecurity compliance and potential long-term commitment to a particular vendor with the ability to change your approach in the future.

These products may be available commercially or open source. Your lead software architect should evaluate these products and implementation strategies to ensure they balance legs of the CIA triad. You do not want to, for example, short Data Availability for unnecessary Data Integrity or Data Confidentiality controls (Figure 6). If you do not have the in-house expertise to evaluate these products, S5T can assist you with cybersecurity compliance-related risk assessments.

Seek to balance the organization's security posture by balancing the CIA Triad.

Figure 6. Seek balance of the CIA Triad

As a business manager you should be aware that a large investment licensing a commercial tool can create a situation called “vendor lock.”

Vendor lock happens after years of investment in licensing and training employees – to the extent which changing vendors is not a palatable course of action. Once the vendor senses they have achieved a “lock” on your business, they can increase license fees and costs of additional services.

Furthermore, if you are using a smaller company (i.e., not Microsoft or Oracle) there is some chance they may be purchased by a company that is foreign or that is not interested in maintaining the compliance certifications on which you based your purchasing decision. This scenario could put your business at risk of a forced and expensive change.

On the other hand, open-source software may be able to limit the risk of vendor lock while providing similar capabilities. Considerations of these trade-offs can be made by an experienced solutions architect.

7. Know the Downsides of Inadequate Cybersecurity Compliance

Neglecting a comprehensive cybersecurity and/or compliance plan exposes businesses to a range of severe negative scenarios that can significantly impact their operations, reputation, finances, and even long-term viability. Here are some of the key negative scenarios a business may face, but you may want to task your CIO to perform specific data protection impact assessments:

1. Data breaches

Exposure of Sensitive Data: Attackers can gain unauthorized access to critical information, including customer data (PII, payment details), financial records, intellectual property (IP), and trade secrets.

Customer Notification Costs: Legal and regulatory obligations often require businesses to notify affected individuals of data breaches, which can be a costly process involving communication campaigns and potentially offering credit monitoring or identity theft protection.

2. Financial losses

Ransomware and Cyber Extortion: Cybercriminals can encrypt critical data and demand ransoms, leading to financial losses and operational disruptions.

Investigation and Remediation Costs: Recovering from a breach involves significant expenses for forensic investigations, system repair, and implementing enhanced security measures.

Legal Fees and Settlements: Businesses may face class-action lawsuits from affected customers or partners, incurring substantial legal fees and potential settlement costs.

Regulatory Fines and Penalties: Non-compliance with data protection regulations (like GDPR, HIPAA, CCPA, PCI DSS) can lead to hefty fines.

Increased Insurance Premiums: A history of cyber incidents can lead to higher insurance premiums and stricter terms for coverage.

Business Interruption Losses: Downtime and disrupted operations resulting from an attack or the recovery process can lead to revenue loss.

3. Reputational damage and loss of trust

Erosion of Customer Confidence: Data breaches erode customer trust in a company’s data security posture, potentially leading to lost customers and decreased sales.

Difficulty Attracting New Clients and Partners: Potential clients may be hesitant to engage with a business with a history of security lapses, and partners may demand stricter security measures.

4. Operational disruption

System Downtime and Productivity Loss: Cyberattacks can bring business operations to a standstill, leading to delays, missed deadlines, reduced employee productivity, and supply chain disruptions.

Restoration Challenges: Recovering lost or corrupted data can be a slow and difficult process, impacting the ability to conduct business as usual.

5. Legal and compliance consequences

Breach of Legal and Regulatory Obligations: Failing to implement appropriate security measures and report breaches in a timely manner can lead to legal and regulatory consequences.

Non-Compliance with Industry Standards: Failure to adhere to industry-specific regulations can result in fines, legal actions, and even suspension of operations.

6. Long-term impacts

Loss of Competitive Advantage: IP theft can have long-term implications for a company’s innovation capabilities and market position.

Business Failure: For some businesses, especially small to medium-sized ones, the financial and reputational fallout from a major cyberattack can be so severe that it leads to permanent closure.

Impact on Employee Morale and Productivity: Cyber incidents can affect employee morale, trust, and productivity, potentially leading to increased turnover.

If all of this seems like a lot to to take in, S5T can provide expert cybersecurity compliance help. Whether you are a small business, or a larger enterprise or government agency, S5T is you digital ally!

Frequently Asked Questions (FAQs)

  • Do small businesses really need to worry about compliance?
    Yes. Even if you are not directly regulated by specific data protection laws, your clients, partners, or prime contractors may impose compliance requirements on you.

  • How often should we update our System Security Plan (SSP)?
    At least annually, or whenever there are significant changes to systems, staff, or regulations.

  • What’s the difference between compliance and security?
    Compliance ensures you meet minimum legal or contractual obligations; security goes further, protecting against emerging threats not yet covered by regulations.

  • How do we avoid vendor lock-in with cloud or SaaS providers?
    Ensure data portability, evaluate open-source alternatives, and involve a solutions architect in vendor selection.

  • What is the biggest mistake managers make with cybersecurity compliance?
    Treating it as solely an IT issue. Compliance requires executive oversight and integration into enterprise strategy.

Visit the S5T Home page
Explore More Blog Posts
Picture of Allen York, PhD

Allen York, PhD

  • Connect with Author on LinkedIn

how would you like to connect with us?

Email Us
Book a Consultation

Use the button below to open our booking page and select a time that works for you. 

Open the Booking Page

Privacy Policy

This Privacy Policy (“Policy”) applies to scorpionfivetech.com, and Scorpion Five Technologies (“Company”) and governs data collection and usage. For the purposes of this Privacy Policy, unless otherwise noted, all references to the Company include scorpionfivetech.com. The Company’s website is a business site. By using the Company website, you consent to the data practices described in this statement.

Collection of your Personal Information

We do not collect any personal information about you unless you voluntarily provide it to us. However, you may be required to provide certain personal information to us when you elect to use certain products or services. These may include: (a) registering for an account; (b) entering a sweepstakes or contest sponsored by us or one of our partners; (c) signing up for special offers from selected third parties; (d) sending us an email message; (e) submitting your credit card or other payment information when ordering and purchasing products and services. To wit, we will use your information for, but not limited to, communicating with you in relation to services and/or products you have requested from us. We also may gather additional personal or non-personal information in the future.

Sharing Information with Third Parties

The Company does not sell, rent, or lease its customer lists to third parties.

The Company may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services tothe Company, and they are required to maintain the confidentiality of your information.

The Company may disclose your personal information, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on the Company or the site; (b) protect and defend the rights or property of the Company; and/or (c) act under exigent circumstances to protect the personal safety of users of the Company, or the public.

Automatically Collected Information

The Company may automatically collect information about your computer hardware and software. This information can include your IP address, browser type, domain names, access times, and referring website addresses. This information is used for the operation of the service, to maintain quality of the service, and to provide general statistics regarding the use of the Company’s website.

Security of your Personal Information

The Company secures your personal information from unauthorized access, use, or disclosure. The Company uses the following methods for this purpose:

SSL Protocol

When personal information (such as a credit card number) is transmitted to other websites, it is protected through the use of encryption, such as the Secure Sockets Layer (SSL) protocol.

We strive to take appropriate security measures to protect against unauthorized access to or alteration of your personal information. Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, you acknowledge that: (a) there are security and privacy limitations inherent to the Internet that are beyond our control; and (b) the security, integrity, and privacy of any and all information and data exchanged between you and us through this site cannot be guaranteed.

Right to Deletion

Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

Delete your personal information from our records; and

Direct any service providers to delete your personal information from their records.

Please note that we may not be able to comply with requests to delete your personal information if it is necessary to:

Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, and provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;

Debug to identify and repair errors that impair existing intended functionality;

Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;

Comply with the California Electronic Communications Privacy Act;

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;

Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;

Comply with an existing legal obligation; or

Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Children Under Thirteen

The Company does not knowingly collect personally identifiable information from children under the age of 13. If you are under the age of 13, you must ask your parent or guardian for permission to use this website.

Email Communications

From time to time, the Company may contact you via email for the purpose of providing announcements, promotional offers, alerts, confirmations, surveys, and/or other general communication.

Changes to This Statement

The Company reserves the right to change this Policy from time to time. For example, when there are changes in our services, changes in our data protection practices, or changes in the law. When changes to this Policy are significant, we will inform you. You may receive a notice by sending an email to the primary email address specified in your account, by placing a prominent notice on our Scorpion Five Technologies, and/or by updating any privacy information. Your continued use of the website and/or services available after such modifications will constitute your: (a) acknowledgment of the modified Policy; and (b) agreement to abide and be bound by that Policy.

Contact Information

The Company welcomes your questions or comments regarding this Policy. If you believe that the Company has not adhered to this Policy, please contact the Company at:

Scorpion Five Technologies

Louisburg, North Carolina 27549

Email Address: privacy@scorpionfivetech.com

Effective as of May 24, 2024