Documentation is essential to manage risk

Importance of Documentation in Cyber Maturity – David Glenn

Documentation is Essential for Organizations to Manage Risk

The business world has become increasingly interconnected and having a well-documented information security plan is now table stakes. With data breaches and cyber-attacks becoming more frequent and sophisticated, companies must be proactive in protecting their assets and ensuring compliance with a growing number of regulatory mandates and frameworks. It is not just heavily regulated industries that need to be concerned about these requirements. Cyber threats are growing in number and severity, and it is critical for all organizations to have robust cybersecurity and compliance practices in place.

One aspect of cybersecurity that is often overlooked is documentation. Having clear, accurate, and up-to-date documentation is essential for organizations to effectively manage their cybersecurity and compliance risks. This is especially true in heavily regulated industries, but it’s continuing to expand beyond that as well. Every organization needs to:

  • Be aware of their security posture and invested in how to best secure critical data and resources.
  • Understand which mandates are applicable to them, or frameworks that their organization has chosen for standardization.
  • Continuously assess and be aware of process and technical gaps.
  • Have a dynamic, defensible plan for addressing those gaps.

Regulations, Mandates and Frameworks

With the proliferation of mandates such as TISAX, PCI; regulatory requirements such as CMMC, HIPAA, CCPA, New York Privacy Act (and many other state privacy acts on the horizon); frameworks such as ISO 27001, NIST CSF, CIS v8, NIST 800-53r5, NIST 800-171 and many more, the complex layers of cybersecurity and compliance mandates are only going to increase in the future.

Legal Precedent and Individual Accountability

Recent high-profile cases, such as with the felony conviction for Joe Sullivan, the former Uber CISO for “misprison of a felony”, which “punishes anyone with knowledge of the commission of a felony who conceals and does not report the same”, just affirmed by the trial court, and FTC’s finalized action against Drizly and CEO James Cory Rellas , have highlighted the importance of effective documentation and the potential consequences of failing to do so. The FTC’s action against Drizly is a game-changer, as it holds the CEO personally liable for security failures and requires the company to destroy unnecessary data, restrict future data collection and retention, and bind the CEO to specific data security requirements. This is a clear indication that regulators are taking cybersecurity and compliance seriously and that the ramifications of a failure to comply are not just limited to security and risk leadership, but also extend to board members and executives. That is a lot of individual accountability and, in contrast to the past, there are real consequences (see above) and financial pain likely for those that fail to make appropriate preparations.

Protecting Yourself With “Risk Acceptance Forms”

One way security officers can propose to control risky business behavior would be by implementing “risk acceptance forms” to directly enforce accountability of senior leadership when blatant critical risks are introduced.  This type of form (if properly implemented) would require legal/HR/compliance to document and track according to documented policies/procedures/standards of the organization.

A Proactive Approach

This increased scrutiny and focus on third-party risk is driving organizations to take a more proactive approach to cybersecurity and compliance. It’s not enough to simply react after a breach or event has occurred. Organizations need to be able to understand the potential impact of failure to plan and act as well as take steps to mitigate those risks before an incident occurs. The key is documenting your plan, executing on it to close the gaps, and having a plan when (not if) an event occurs.

Cyturus Can Help

This is where Cyturus comes in and can help protect yourself and your organization against litigation and data loss. Our CRT (Compliance and Risk Tracker) platform provides continuous monitoring of an organization’s security, compliance, and risk management posture. It provides full dashboard visibility, on-demand and scheduled reporting, security roadmap and remediation management, gap analysis, trending over time, and crosswalk mapping when you are dealing with multiple mandates or frameworks, and/or new mandates so that you don’t have to repeat your work. We save time and money with automation and flexibility with proven processes.

In today’s fast-paced business environment, it is impossible to document and comply effectively using spreadsheets and other manual processes. With Cyturus, you can streamline your compliance and risk management efforts, and ensure that you are always in compliance with the latest mandates and frameworks. Contact us today at or fill out the form below for more information or to schedule a demo of our CRT platform and see how we can help you protect your organization from cyber threats and regulatory penalties.


What Uber’s Joe Sullivan Case Means for ‘Sacrificial CISOs’:

Former Uber CISO’s Conviction Affirmed by Trial Court: Former Uber CISO’s Conviction Affirmed by Trial Court – Security Boulevard

FTC Drizly, LLC Case Summary:

FTC votes 4-0 on finalizing enforcement action against James Cory Rellas, CEO of Drizly: