Regulatory Compliance vs. Security – Can They Coexist?


3 November 2016

Cybersecurity

I recently participated in a highly interactive and thought-provoking panel of Chief Information Security Officers at the Information Security Executive (ISE) Northeast Executive Forum and Awards 2016. The panel included CISOs representing a diverse set of very large multinational corporations, including Staples, Bunge Limited, Manulife/John Hancock and Skillsoft.

An underlying theme of the panel discussion was compliance versus risk, or whether regulatory compliance actually has a positive or negative impact on an organization’s security. There was a wide range of opinion on this question. One positive impact noted about security regulations is that their potentially negative consequences (fines, lawsuits and response and recovery costs) have contributed to elevating the topic of cybersecurity to a boardroom-level priority. This has at least helped many CISOs obtain funding for critical security investments in what has historically been a highly resource-constrained environment.

The panel hotly debated what constitutes a company’s exercise of a due care or due diligence level of cybersecurity. To dive into the matter of due care cybersecurity participants used the example of patching of software vulnerabilities. Topics included: Is there a minimum length of time from when a patch is available for a security vulnerability to when the patch must be implemented that assuredly avoids any claims of negligence? Is it measured in days, weeks, months or even years? And does the answer depend on the severity of the security flaw being patched and the value of the systems affected?

Of course, patching alone does not equal cybersecurity. Some systems – such as industrial control systems used to run manufacturing processes and critical infrastructure operations, including the electric grid and nuclear power plants – cannot be taken offline for patching, as the potential impact of their unavailability is simply too high to justify it. There are also “zero-day” vulnerabilities that hackers can exploit in software code that are unknown to the vendors of target applications and therefore no security patch exists for them. However, the hype around such zero-day flaws may greatly outweigh the reality that cyber attackers, even those with nation-state sponsorship, are still mainly exploiting known software vulnerabilities to conduct the most significant, outsider-driven data breaches. With so many systems remaining unpatched against such widely known and pervasive vulnerabilities, this is a logical approach for hackers as it’s much easier and cost-effective for them.

So what really constitutes a due care level of cybersecurity, particularly across all types, sizes and maturity levels of organizations? There are “cyber hygiene”-based frameworks that provide a prioritized approach to guide businesses on which cybersecurity controls they should implement first and foremost, notably the Center for Internet Security’s Critical Security Controls. Such approaches can be leveraged, in concert with an assessment of an organization’s risk, to help prioritize the control set required by various regulatory regimes to which a company must adhere, based on the nature of its business and operations (PCI DSS, GLBA, HIPAA, etc.)

One factor critical to an organization’s cybersecurity plan and control implementation is a risk-based approach. To be sure, savvy CISOs have learned to use certain security controls that often provide a greater return on investment than others, and the panelists specified several of these, including incident response, cyber threat information sharing, antimalware products, penetration testing and multi-factor authentication. But the consensus was that each business must base its cybersecurity investments on its own unique assessment and tolerance for risk.

A security strategy that is well-suited to address the many various, often continually changing cyber threats and vulnerabilities (and thus the overall risk faced by organizations) is “defense in-depth,” or a layered defense. The approach employs several different and compensating controls that build resilience by helping to mitigate the overall negative impact when one or more controls are defeated or are unable to address a specific attack vector. For example, network perimeter defenses such as firewall rules and IDS/IPS signatures are vital parts of a due diligent cyber defense, but they are unable to counter many insider threats without additional defensive layers.

Organizations also need security controls that maintain effectiveness beyond network perimeters to keep up with rapidly growing requirements for sharing, accessing and using sensitive corporate information wherever knowledge workers must and will work — often outside the office and on mobile devices and cloud environments that are both company- and employee-owned or managed. An ideal layer of a defense in-depth strategy that enables such information-level security and control is information rights management (IRM).

IRM solutions maintain strong encryption-based controls over the content and authorized permissions of sensitive files over their lifetime and no matter where they are shared or saved. And because access to IRM-protected files must be authenticated, they create an audit trail of all attempts — successful or not — to access such information; thus auditability and accountability controls can be enforced for sensitive information wherever it resides. IRM capabilities can help greatly reduce the risk to organizations that must share sensitive information with business partners, as well as help such enterprises comply with the many cybersecurity regulations that require strong encryption, access controls and auditability around the sensitive data for which they were designed and enacted to protect.

 



Rick Comeau

Rick Comeau

Rick Comeau is a Security Advisor for the Intralinks Enterprise-Commercial Sales Team. He previously led the Center for Internet Security (CIS) program that develops consensus-based, secure configuration guidance and automatable assessment and remediation content, which is recognized as authoritative security guidance by leading standards bodies such as the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) Security Standards Council.