Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 27 Mar , 2015

UPDATED: For Cybersecurity Are Regulators Doing More Harm Than Good?

Share this article

With a dramatic increase in cyber security legislation and regulation brewing, how is that relationship with regulators going? Is it positive and productive or divisive and dictatorial?

Originally posted on LinkedIn:

CISOs – How is your relationship with your regulators?

With a dramatic increase in cyber security legislation and regulation brewing, how is that relationship with regulators going? Is it positive and productive or divisive and dictatorial?
In this SEC news release, Commissioner Dan Gallagher flags that the myriad of financial services regulations (overseen by an ‘alphabet soup’ of regulators) don’t have cost/benefit analyses performed.

He terms the cumulative effect on financial service institutions a “death by a thousand cuts” in terms of millions of man hours and dollars spent on assessing compliance and closing gaps to comply.

Lessons it seems we’re running out of time to learn for cybersecurity, given this tweet from Tom Temin of Federal News Radio:

[tweet https://twitter.com/tteminWFED/status/581430568266665984 hide_thread=’true’ width=’900′]

How do you feel when these kinds of questions are asked?:

  • What keeps you up at night?
  • Is your security function staffed appropriately, both in terms of numbers and skills?
  • How do you govern security and is that working?
  • What is your security risk appetite and how do you set it?
  • Tell me about your incidents and what you have done to prevent recurrence?
  • When and how will you achieve compliance?

Does it feel like an opportunity to set out your current position and discuss plans to strategically improve security, or uncomfortably like rope is being accumulated to hang you with?
It might be the FCA, SEC, ICO, PCI QSA, external auditors or AN Other body. Problems seem largely the same. Lines are drawn, ultimatums are issued, timescales are set and they frequently fail to reflect existing capability, real levels of risk and real work and investment needed to make a demanded change.
Board attention gets focused away from good progress being made to mature security and towards a point in time snapshot of assessed weakness.
Conversely, poorly executed assessments may paint a compliant picture when you are struggling to highlight and obtain backing to fill security holes that you know exist.
One heartfelt plea from a CISO I correspond with was for informal chats. Meetings with regulators run on Chatham House rules to align expectations about realistic goals. Potentially inviting peers in the same industry, of similar size and with similarly mature security functions, to blamelessly and confidentially share insights.
As I called out in this article about current cybersecurity risk reality:

There is no consensus on the real level of cybersecurity risk we are living with, because data sets and ways to calculate risk vary from firm to firm

We also lack any concrete benchmarks for adequate security, either in terms of universally agreed control sets or what a well operated control looks like.
If, as I argue, there is no consensus on the problems or on the solutions, how can regulators prove their worth? Is regulatory oversight too often applied with no respect for local security capability and your real risk profile?
Surely the only constructive approach is to collaborate to gain sufficient intelligence about the real state of play to set achievable goals. Without that, reports from regulators can deepen the rift between security leaders and the rest of the board.
I am in no way suggesting regulation is not needed. Regulation is necessary to guard corporate and private consumers against laziness, persistent misplaced thrift, or criminal neglect of security. But are regulators doing more harm than good to diligent firms? The ones still struggling (like the rest of the world) to work out how much is enough security to minimise their risks.
Your perspectives are most welcome.
To see comments posted by LinkedIn have a squizz at the original post.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...