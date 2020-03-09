Compliance Competency: Improving Security Strategies

Anyone familiar with the Monty Python movie Life of Brian can no doubt recall the famous “What have the Romans ever done for us?” scene. In this scene, the activist group Brian has joined is looking to overthrow Roman rule. In a conversation where the people in the group lament the ills the Roman Empire has inflicted on them they also highlight the advantages, such as roads, aqueducts and law and order, which Roman rule brought to the region.

In many ways, this scene reminds me of the cybersecurity industry which regularly laments how ineffective security controls are implemented in organizations and yet, at the same time, doesn’t appreciate the benefits that cybersecurity standards and regulations have brought.

If we look at key turning points in recent times resulting in boards and senior management focusing more on cybersecurity, I argue it is the introduction of security standards and regulations that have driven this new focus. This, coupled with the increasing reliance all businesses and organizations place on technology and the sharp uptake in the number of very public security breaches, has made many companies look towards their security for reassurances that their organization will not be the next to hit the headlines for all the wrong reasons.

The traditional response from many security teams has been along the lines of “trust us, we know what we’re doing,” but I would argue that this is no longer an acceptable response. As with every other aspect of business, be it HR, health and safety or finance, there are standards and regulations which those business functions have to comply with.

The introduction of the EU General Data Protection Regulation (GDPR) has introduced more stringent penalties for businesses failing to secure the personal data entrusted to them by individuals or for not honoring their rights. There are other regulations the EU has introduced which have not garnered the same attention, such as the EU Network Information Security Directive, focusing on organizations providing essential services and critical infrastructure, the Payment Services Directive II for improving the online security payments environment and, during the summer of 2019, the EU Cyber Security Act also came into force. The Cyber Security Act paves the way for the EU to introduce certification schemes to certify products and services, particularly in the Internet of Things space, as being secure. Other jurisdictions are looking at how Europe is regulating the security industry with a view to introducing similar regulations. We also see different industry sectors, particularly those that are regulated, looking to introduce ways to ensure organizations within their sectors are implementing an acceptable baseline of security.

The argument often cited against standards and regulations is that security teams and businesses will not focus on properly securing their systems, but rather do the bare minimum to comply with the relevant standards. This may have been true in the past, but in my opinion, this is rapidly changing. The key reason I say this is because many of the above regulations now hold organizations – and indeed in some cases (such as the GDPR) individuals within those organizations – responsible and accountable for not ensuring the security of their data or services.

This focus on holding organizations accountable has taken cybersecurity out of the realm of the IT and the security teams and placed it firmly in the hands of the risk committees, audit committees and the board. In order to manage the risk associated with this accountability, many organizations will now look to those responsible for security not only in their organization, but also with any third-party providers they engage with, to demonstrate to them that they are implementing recognized industry good practices in securing their data. Hence we are seeing a drive towards many organizations looking to get certified to the ISO 27001 Information Security Standard, or for smaller firms, seeking certification through the Cyber Essentials scheme.

This move towards standards is not only driven by the businesses themselves, but in order to offset the risk associated with a cybersecurity breach, organizations are looking towards cyber insurance. In turn, cyber insurance companies are looking at their clients and asking them to demonstrate the measures in place to manage their cyber-risks, adhering to a recognized standard that can satisfy that requirement.

So if we were to look at the ‘Cyber Life of Brian,’ we should not lament the paperwork and governance overhead that standards and regulations bring. Instead we should recognize that not only do standards require a minimum baseline for all to adhere to, but also provide the security team with the opportunity to engage with the business and get the support needed to implement security in a positive way