Cybercrime damages are predicted to cost the world $6 trillion annually by 2021. So, governments are focusing on this growing problem, cyber regulations are proliferating, and those regulations are becoming increasingly complex. Often, boards and their CISOs become totally focused on – or even obsessed with – cybersecurity regulatory compliance.
But cybersecurity experts say it’s critical for board members to realize that regulatory compliance does not translate into real security – and, in fact, it can give organizations a false sense of security that actually leaves them more vulnerable to cyber attack. It’s better to think of compliance as an important piece in the cybersecurity puzzle, but far from the whole picture.
“The truth is, good cybersecurity leads to strong compliance – not the other way around,” notes Rick Grinnell, a cybersecurity and artificial intelligence startup investor with Glasswing Ventures who sits on multiple boards.
Experts point to three overarching reasons boards overly focused on compliance, as opposed to a security strategy that prioritizes business risk, can set up their organizations for trouble: a mismatch in the pace of change, diverting resources from the most valuable tasks, and the “checkbox” approach.
Regulatory Change is Slow, Cyber Threat Evolution is Fast
Regulations are static, or slow-changing at best, while the cyber threat landscape is rapidly evolving. The growing interconnectedness of networks, devices, and organizations as a whole are challenging businesses around the world to adapt and evolve, but when it comes to cyber those interconnections are leading to exponential growth in the number of ways cyber criminals can attack.
Regulations, meanwhile, are often fighting last year’s battles (at best), because of the time it takes to produce them. Organizations that want to stay safe must look ahead and keep pace with the changing nature of cyber threats.
The history of the Payment Card Industry Data Security Standard (PCI DSS) offers clear insight into this issue. PCI DSS is administered by an industry association, not by a government. It is currently in its eighth version since debuting in December 2004 – which means a new set of rules is produced less than every two years. The scope of PCI DSS compliance is constantly growing as technology changes. Every year, its requirements get more detailed, more stringent, and include more systems and processes. By contrast, the U.S. Federal Information Security Management Act (FISMA) of 2002 was updated once, 12 years later, in 2014.
Compliance Focus Can Divert Critical Resources From Risk-Based Cybersecurity
FISMA 2002 brings us to the second point. FISMA mandated that U.S. government agencies provide detailed binders of documentation regarding the status of their networks. But its stringent requirements diverted resources away from real-time risk management and towards production of records that did not actually help the agencies detect and protect against cyber risks – a misallocation of resources that could cause an organization to become more vulnerable to a breach, notes Ryan Gillis, Vice President of Cybersecurity Strategy and Global Policy at Palo Alto Networks.
“Companies that focus exclusively on regulatory compliance can end up diverting people, resources, and technology away from the underlying goal of reducing cybersecurity risk,” says Gillis.
An article at banking industry association The Clearing House’s website asserts that real damage to organizations often doesn’t happen when the breach occurs. It’s often the “dwell time,” or the time it takes for companies to detect breaches and effectively respond, during which cyber criminals have opportunity to damage networks and steal data. So if organizations are distracted by complex regulations and not devoting appropriate resources to detecting breaches rapidly, they may inadvertently end up more vulnerable despite feeling more secure.
Gillis emphasizes the need for smart, risk-based regulation that “incorporates allowances for technology flexibility, so defenses can evolve and organizations are not locked into certifying certain procedures or installing certain technologies that don’t ultimately keep pace with the threats, or reduce risk.”
‘Checkbox’ Approach Makes Organizations More Vulnerable, Not Less
Regulations are often followed line by line, with organizations “checking the box” as they go. But companies with the most mature cybersecurity models know it’s crucial to follow the spirit of the law instead of its letter.
Europe’s upcoming General Data Protection Regulation (GDPR) offers a good example. One new GDPR requirement is to report breaches within 72 hours; another is to appoint a Data Protection Officer (DPO). Many companies have “checked the box” by simply adding the title to their CIO, or CISO. Gillis stresses that treating GDPR requirements as a checklist can focus an organization “on winning the race to report a loss of data” instead of figuring out how to protect that data – and detect intrusions that threaten it – in the first place. “A focus on detection alone is an untenable place to be for your customer relationships, for your shareholders, and for the underlying interest of your country,” says Gillis.
But consider the spirit of the law: GDPR’s 72-hour reporting requirement stresses how important it is to urgently respond to a breach, which reflects how important cybersecurity is to an organization’s bottom line, says Grinnell.
Grinnell recommends appointing a CISO or DPO who will do more than just “check the box.” Instead, a CISO should strengthen an organization’s cyber risk posture, including through active promotion that helps each employee better understand their role in the process, thus helping to build a more mature cybersecurity culture that can successfully defend against threats, detect intrusions, respond and recover. A mature cybersecurity culture promotes cyber risk management by integrating it throughout its corporate culture.
Conclusion: Mature Cybersecurity Leads to Compliance That Matters
Ultimately, it’s the role of board members and senior executives to recognize that compliance doesn’t lead to good security, and to build a corporate culture that prioritizes cybersecurity – that way, compliance comes naturally.
“The challenge with regulatory compliance comes down to the fact that one-size regulation doesn’t fit all organizations,” says Grinnell. “But any organization that really conducts its due diligence, and prioritizes the specific risks to its business, is in a much better position to address new regulations right out of the gate. A good cybersecurity framework leaves you in good shape to comply with any future regulations.”