Compliance takes up an inordinate amount of an organization’s time, budget, and manpower, particularly when it comes to ensuring that access to IT resources and vital information are safeguarded at all times. But many business leaders and CISOs are worried about the wrong thing: compliance, instead of enterprise cyber risk.
I’m not saying that compliance isn’t important. No one wants to risk fines, sanctions, or damaging publicity over regulatory violations. But compliance is not—repeat, not—your goal. Or, at least, it should not be the key focus of your cybersecurity program. And let me tell you why:
Being compliant is not the same as being secure.
For that matter, being compliant does little or nothing to ensure that your critical systems are available at any point in time, which jeopardizes everything you do. That’s why you need to focus on taking the right steps to enable secure availability of essential services and key resources in the face of broadening cyber threat vectors.
Why Availability Matters and Why It Must Be Secure
For as much attention, spending, and energy that goes into the process of demonstrating compliance, it’s important to remember that compliance is a very limited way to look at the security of essential systems or data.
Compliance regulations tend to be inherently reactive and very targeted, either by industry, geography, or type of information that needs to be protected. These requirements often focus heavily on the confidentiality and then on the integrity of the data. Although these are certainly important issues, they do little or nothing to ensure overall resilience—that is, that mission-critical systems and data are available when employees, partners, and customers need them. Even a few minutes of interrupted systems availability can cost millions of dollars, compromise customer trust, and tarnish an organization’s reputation.
Fortunately, many executives are getting the message. With increasing frequency, executives and board members are buying in to the notion that secure availability is the very foundation of compliance. As such, there are more nuanced discussions with business leaders and in board rooms that go far beyond compliance-centric issues, such as confidentiality and data integrity.
New Business Initiatives Often Expand Your Cyber Risk Footprint and Threaten Compliance
Trends such as the Internet of Things, cloud computing, enterprise mobility, and digital transformation are making organizations more efficient and better positioned to bring new products and services to market faster. They also are making organizations—and their entire business ecosystems—more vulnerable.
Take IoT, arguably one of the most exciting and promising applications of technology in decades. But when billions of everyday items are connected via the internet—not only to each other, but often also to our core business systems and IT infrastructure—we dramatically increase risks that threaten secure availability and, in turn, compliance.
Another dual-edged sword is the increased use of technology to enable customer self-service, such as online banking, omnichannel shopping, or ordering and managing municipal services from a digital consumer device or through a public cloud service. Yes, it creates a boatload of new services and improved customer engagement. And yes, it also introduces a boatload of unmanaged endpoints and easily accessible points of entry into our digital infrastructure, where systems can be disabled or rendered ineffective if availability is interrupted.
Mobility, cloud, virtualization, and other technology also are driving new workforce models, such as distributed teams, virtual collaborations, and new models for when, where, and how people work and share information.
Each and every one of these new opportunities carries a substantial risk factor that can result in regulatory or internal policy compliance challenges. However, these challenges will pale in comparison when new products and services are rendered unavailable due to security lapses or even network connectivity issues anywhere along the digital ecosystem.
Lessons Learned: Using a Three-Tiered Approach to Secure Availability
Over the years, I’ve worked with my business colleagues to identify and overcome cybersecurity challenges—and to help ensure compliance objectives are met along the way. I’ve come to think of this as a framework for delivering secure availability, comprised of three major components:
Doing what you have to do. This is where everything starts. After all, your organization must comply with the laws and regulatory obligations of the different jurisdictions where business is conducted. These include issues revolving around custodianship of information and data privacy regulations, and ensuring that you are acting responsibly with the data that others have entrusted you to safeguard. I’m sure you’re thinking these are pretty fundamental, and you’re right. These are table stakes, essential requirements for ensuring secure availability and meeting compliance mandates. But without meeting these baseline requirements, you might as well get ready for a regulatory assault—and a costly and damaging security incident brought on by a security breach or data loss.
Doing what you said you were going to do. This is all about a rock-solid commitment to actually following through in all ways—contractually, regulatory, internal policies, and even morally. This should be part of your organization’s governance framework, jointly worked out among business leadership, IT and security teams, and legal officers. Again, the goal here is to ensure secure availability; if done right, compliance will be the byproduct. This is why your governance programs must go beyond good policies and policy management to extend to enforcement in the same way organizations enforce human resources or financial policies. Reporting must be consistent, transparent, and designed to easily flow up the organization.
Continuously refining and adapting to what “good” looks like. Fortunately, there are a number of useful and well-regarded standards for the protection of systems and digital assets, especially when it travels to and from the internet. Your CSO and IT executives undoubtedly know about the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), a voluntary framework that provides models based on the principles of “prioritization, flexibility and repeatability.” And the Center for Internet Security publishes a list of the top 20 security controls, which presents a great opportunity to identify the best value for information security investments. Certainly, business leaders need to get behind these and other applicable frameworks that help identify key security and resilience objectives, as well as corresponding metrics their organizations should consider embracing.
Steps Business Leaders and Board Members Can Take Today
Once an organization understands that enabling secure availability—and, by extension, demonstrating compliance—is a business issue rather than a technical one, it has taken the first step toward achieving that goal. And there are efficient ways for business executives to learn from the lessons and experiences of others to support those efforts.
First, keep in mind that your organization should study high-profile and particularly relevant breaches and learn how they may relate to your own situation. What vulnerabilities did the breach expose that may be relevant to your organization and operations? How did other organizations respond to mitigate the damage, both technically and from a communications perspective? What is your plan if such an incident were to impact you? What was the impact on their business operations, and how exposed are you?
Second, you must have a game plan for DDoS attacks and ransomware. More and more organizations are being hit with these attacks every day. Why wouldn’t they be? They’re cheap to implement, and the bad guys are smart enough to either extort their intended victims or ask for ransoms that are small enough to be considered “nuisances” by business leaders and boards. Furthermore, your preparedness here will also enable you to better identify, protect, detect, respond, and recover from whole classes of destructive malware and other attacks.
Third, use regulatory and governance requirements as an opportunity for more internal dialogue and game-planning. I used to cringe at the thought of quarterly disclosure filings, internal risk reporting, compliance documentation and audits, and the like. Eventually, however, I began to embrace these and other opportunities to discuss cyber risks, impending threats, impact, and preventative steps with my business colleagues and board members— from a whole of business perspective. I saw them as my chance to sound warning bells and highlight key cyber risks before something bad happened.
At the end of the day, we should be worried less about passing audits and demonstrating point-in-time compliance than about the fundamentals of cybersecurity: availability, confidentiality, and integrity.
Your chief compliance officer might blanch at such heresy, but your focus on secure availability will do more than keep the regulators off your back. It will ensure you still have a business tomorrow.
Danny McPherson is Executive Vice President and Chief Security Officer at Verisign. Previously, he was Chief Security Officer at Arbor Networks, and he has held technical leadership positions at organizations such as Qwest Communications, MCI Communications, and the U.S. Army Signal Corps. This article was adapted from his chapter in Navigating the Digital Age, second edition.