In the fast-paced and rapidly evolving world of cybersecurity regulations, time is a critical element. New mandates come with firm deadlines to begin a continuous process of ongoing compliance, they also include many new essential factors such as the requirement to notify defined authorities within defined timeframes in the event of a personal data breach or a security incident, depending on the law.
Nowhere is this more apparent than in the European Union, as a cascade of new requirements take affect now and in the near future. The Global Data Protection Regulation (GDPR) is, of course, the most visible and potentially the biggest-impact cybersecurity protection mandate, but it is far from the only one. The Network and Information Security (NIS) Directive, designed to protect digitally dependent critical infrastructure, also has gone live—and that’s not all:
• A draft of the Cybersecurity Act and its proposed EU cybersecurity certification framework is winding its way through the European Parliament.
• The Electronic Communication Code, which will update regulations for Europe’s telecom industry and includes security requirements for those companies, is nearing final stages of negotiations in Brussels.
For those of you whose organizations are well on the way toward achieving compliance with GDPR and NIS, and are getting ready for the next wave of mandates, I applaud you. After all, not only do I realize how much work and innovation goes into ensuring your organizations are understanding and achieving the requirements that serve an important goal: to ensure that all organizations take seriously their cybersecurity responsibilities. This is a good thing—right?
And, despite the obvious good intentions behind GDPR and other cybersecurity regulations, we must all confront the harsh reality that many affected organizations simply are not fully prepared to comply—at least not yet. Part of it is undoubtedly attributable to an inability to put in place the systems and processes necessary to ensure compliance—at least not before the implementation deadlines; many simply started to late. And the situation can be very different with each new mandate. For instance, many organizations admit they still are confused by some elements of GDPR, the scope of which is very broad from gaining the right consents to gather and use personal information, through to accounting for relevant state of the art cyber security controls to protect it. NIS is very different, while some EU nations are still transposing their implementation into national laws, making it tough for businesses to validate how the directive impacts them.
So, what can we expect this year and beyond, as more and more regulations and mandates take affect?
Examples will be made of noncompliant organizations. While I’m certainly no lawyer, it’s clear that regulators intend to use the threat of strict sanctions to ensure business executives and boards take them seriously. Although I believe those penalties should be a last resort, organizations that simply flaunt the requirements should be prepared for the worst case—financial fines, blaring headlines, and loss of trust and confidence by anyone whose private information is breached.
The true impact of GDPR enforcement is still months away. Those highly visible examples of sanctions probably won’t occur immediately, as details of breaches are investigated, and the degree of violations is assessed. Situations marked by poor documentation, bad metrics, and insufficient legacy evidence will likely attract regulators, but those assessments are likely to take months to clear up. Let’s be clear: Enforcement will take place, and actions will be demanded by regulators to clean up the impact of breaches and data loss. But the real impact of GDPR is likely to be felt much later in 2018 and beyond, as the particulars of the regulation in a real-world context are debated and precedents established.
Business leaders will seek a much deeper understanding of local laws. A very wise American legislator once said, “All politics is local.” The same could be said for the NIS Directive. As a directive, rather than a regulation like GDPR, its intent is to guide EU member states to implement their own laws in support of the directive’s goals. Some countries’ existing laws will need to be tweaked slightly, others may need to be reworked, and still others may require complete overhauls. Entities that are “operators of essential services” (this includes energy, transportation, healthcare, digital infrastructure, drinking water, and some financial services) or “digital service providers” (online marketplaces, online search, and cloud computing services) are covered by NIS. For these entities, it will be essential to review each local implementation of the directive to determine to what extent your organization is affected and what you need to do to be in compliance.
So, what are the key takeaways for business executives and board members whose organizations are touched by GDPR and other mandates?
First, understand that this is just the first wave of steps that will be taken around the world to raise the bar on cybersecurity. As everything in our society becomes increasingly digitized, the scope of cybersecurity preparedness must expand, and that has obvious impact on everything from organizations’ budgets and staffing to how processes are documented and how employees are trained.
Second, it is essential that business leaders—not just CISOs and security professionals, but all business executives as well—are fully aware of what regulations are coming down the line, and what they mean to their organizations, especially where accountability for these sits in the business. Knowing for sure what the mandates mean to you, who is applying, acknowledging the go-live dates, and understanding all the finer points under the regulation are not up for debate. Business leaders and CISOs must communicate and collaborate so everyone is on the same page in terms of goals, outcomes, enforcement, and steps to clarify areas of confusion.
Finally, these and other new regulations actually create an important and exciting opportunity for organizations to step back and review their current processes and capabilities in order to ensure that are properly adapted to current and future business requirements. And, it is particularly important that they can prove this not only to outside regulators, but also to their own business leaders. For too long, there has been a gaping void between organizations’ steps to demonstrate compliance to regulators and their ability to honestly and fully assess their own practices on cybersecurity and data protection.
Business leaders no longer can routinely accept that everything is OK, and they have it all covered. They now need evidence to validate their hopes and assumptions, as increasingly required by new mandates.
There may not be a single “big bang” moment that makes us all sit up and take notice that things must change. But over the next six to 12 months, as newly enacted guidelines’ impact on how organizations work and how they protect data becomes clear, more and more attention will need to be paid to how we ensure confidence in the privacy and integrity of all data in an increasingly digital society.