Compliance Competency: Improving Security Strategies
Anyone familiar with the Monty Python movie Life of Brian can no doubt recall the famous “What have the Romans ever done for us?” scene. In this scene, the activist group Brian has joined is looking to overthrow Roman rule. In a conversation where the people in the group lament the ills the Roman Empire has inflicted on them they also highlight the advantages, such as roads, aqueducts and law and order, which Roman rule brought to the region.
In many ways, this scene reminds me of the cybersecurity industry which regularly laments how ineffective security controls are implemented in organizations and yet, at the same time, doesn’t appreciate the benefits that cybersecurity standards and regulations have brought.
If we look at key turning points in recent times resulting in boards and senior management focusing more on cybersecurity, I argue it is the introduction of security standards and regulations that have driven this new focus. This, coupled with the increasing reliance all businesses and organizations place on technology and the sharp uptake in the number of very public security breaches, has made many companies look towards their security for reassurances that their organization will not be the next to hit the headlines for all the wrong reasons.
The traditional response from many security teams has been along the lines of “trust us, we know what we’re doing,” but I would argue that this is no longer an acceptable response. As with every other aspect of business, be it HR, health and safety or finance, there are standards and regulations which those business functions have to comply with.
The introduction of the EU General Data Protection Regulation (GDPR) has introduced more stringent penalties for businesses failing to secure the personal data entrusted to them by individuals or for not honoring their rights. There are other regulations the EU has introduced which have not garnered the same attention, such as the EU Network Information Security Directive, focusing on organizations providing essential services and critical infrastructure, the Payment Services Directive II for improving the online security payments environment and, during the summer of 2019, the EU Cyber Security Act also came into force. The Cyber Security Act paves the way for the EU to introduce certification schemes to certify products and services, particularly in the Internet of Things space, as being secure. Other jurisdictions are looking at how Europe is regulating the security industry with a view to introducing similar regulations. We also see different industry sectors, particularly those that are regulated, looking to introduce ways to ensure organizations within their sectors are implementing an acceptable baseline of security.
The argument often cited against standards and regulations is that security teams and businesses will not focus on properly securing their systems, but rather do the bare minimum to comply with the relevant standards. This may have been true in the past, but in my opinion, this is rapidly changing. The key reason I say this is because many of the above regulations now hold organizations – and indeed in some cases (such as the GDPR) individuals within those organizations – responsible and accountable for not ensuring the security of their data or services.
This focus on holding organizations accountable has taken cybersecurity out of the realm of the IT and the security teams and placed it firmly in the hands of the risk committees, audit committees and the board. In order to manage the risk associated with this accountability, many organizations will now look to those responsible for security not only in their organization, but also with any third-party providers they engage with, to demonstrate to them that they are implementing recognized industry good practices in securing their data. Hence we are seeing a drive towards many organizations looking to get certified to the ISO 27001 Information Security Standard, or for smaller firms, seeking certification through the Cyber Essentials scheme.
This move towards standards is not only driven by the businesses themselves, but in order to offset the risk associated with a cybersecurity breach, organizations are looking towards cyber insurance. In turn, cyber insurance companies are looking at their clients and asking them to demonstrate the measures in place to manage their cyber-risks, adhering to a recognized standard that can satisfy that requirement.
So if we were to look at the ‘Cyber Life of Brian,’ we should not lament the paperwork and governance overhead that standards and regulations bring. Instead we should recognize that not only do standards require a minimum baseline for all to adhere to, but also provide the security team with the opportunity to engage with the business and get the support needed to implement security in a positive way
Compliance Competency: Far From a Security Guarantee
Compliance does not guarantee security. Security leaders in regulated industries understand this mantra, however historical breach trends are beginning to show that compliance-focused security programs aren’t doing enough. Verizon’s 2019 Data Breach Investigation Report examined 41,686 security incidents and 2013 data breaches across 86 countries alone, highlighting the fact that cyber-attacks continue to happen, and threat actors continue to circumvent the defensive measures put in place by enterprise security teams.
There is a multifaceted hypothesis for this trend; organizations do important work and are consequently always attacked and there are several requirements companies must adhere to that creates ambiguity. However, threats stemming from regulatory roots have created opportunities for organizations to treat compliance as a foundation for their security programs.
Regulated industries require oversight as assurance. National and global critical infrastructure organizations need excellent oversight due to the importance of the work they do. In fact, a recent Ponemon Institute study found that 90% of national infrastructure operators had been hit by at least one successful cyber-attack. In today’s technology-enabled age, cybersecurity regulation sets the minimum bar of security requirements.
Regulations that are born from local, state, national and international legal remits are not always impactful in addressing emerging threats surrounding modern computing methods, and result in several nuanced mandates for businesses to adhere to. The onus is on the company to navigate which regulatory rules apply to them. However, engaging in domestic and international business creates a complex equation of what data protection and privacy regulations apply. From this difficulty arises confusion, and confusion results in error, all to the advantage of cyber-attackers.
Industry has appropriately responded to help companies that are affected by the complexity described above. Several consultative firms have emerged to help on both sides of the fence of the compliance equation. They work with the regulators to support the compliance verification and audit processes, laying out the rubric of assessment, or serving as labor to execute the interviews and data collection of the audits. They also help businesses prepare for these audits by outsourcing the preparation, or driving ‘mock audits’ as readiness exercises.
These challenges result in an often significant security expenditure in navigating regulatory hurdles, which drains resources for broader security investments, also known as the security investment Solomon conundrum.
Some of the most defined and specific regulations applied to some of the biggest breaches we have seen in recent history, but the climate is changing. The incentives to do more just haven’t been meaningful and, due to the periodicity of updates, most breaches that have occurred have been within compliant organizations. For example, in December 2013, it became publicly known that Target Corporation was breached and 110 million consumers’ payment card information, names, phone numbers, email and mailing addresses were compromised. However, Target was validated as being PCI-compliant two months before the breach. Heartland Payment Systems also admitted to a breach in 2009 that affected as many as 94 million credit card accounts, despite its PCI-compliance.
Today, the continued frequency and severity of breaches have resulted in far more substantial fines. However, regulatory compliance still serves as the bar of accountability, even though it is no longer valid with modern computing methods. These requirements need to be retooled, as national standards are not a bad idea for making sure companies are on the same page. This would greatly assist small- and medium-sized businesses that cannot afford to manage the security investment Solomon conundrum.
Standards need to breathe with emerging threats, modern computing methods and business trends. One of the biggest issues with current regulations is the periodic nature of compliance assertions.
Given companies are often found to be non-compliant during a breach, compliance standards should evolve to require continuous validation requirements. The security industry’s support tactics also need to evolve in tandem and require more authoritative validation of cyber-hygiene. Make the adversary work harder, while you work smarter, and balance realistic budgets with maximum security