Measure to Your New List
Now that you have this new list of requirements that has all the redundancy removed and the ambiguity cleared up you have a baseline from which to measure your existing controls. Conduct your gap analysis against this new target list of requirements.
As with any audit or assessment, the gap analysis against your target list of requirements will likely yield some places where your controls are deficient. Make a list of those deficiencies, and that list becomes your action list for remediation. If you are smart, you will assign resources and costs to those action items to help you budget.
Use that list of deficiencies to track progress on closing the gaps and report the progress so you can show how much more compliant you are than when you started and to show the return on investment for those projects.
That all sounds a little complicated, but believe me when I tell you it's easier than the way we've all been doing it with multi-layered spreadsheets and counting on our fingers and toes. There are some solutions out there that automate this process. Make sure you select one that creates your own unique compliance target and does not force you to adapt to a single, best practice or standard because one size does not fit all.
So, can we be compliant and yet insecure? Yes we can, especially if we try to link each control with a single regulatory requirement, one at a time. We may be able to achieve compliance with a single regulation that way, but we may be leaving the back door wide open.
Bill Sieglein is founder and executive director of the CSO Breakfast Club. His background includes work in the US intelligence community and a stint as CSO of the Public Company Accounting Oversight Board (PCAOB).