The cybersecurity regulatory landscape is evolving; laws are proliferating. You may have completed filing for your Certification of Compliance under New York’s Department of Financial Services (NYDFS) cybersecurity regulation (23 NYCRR 500), and now you may be looking directly at the fast approaching General Data Protection Regulation deadline in May. Attaining and maintaining compliance is taking more and more resources, while simultaneously, cybersecurity resilience itself is becoming increasingly challenging to achieve. It’s now an imperative that you multitask. The compliance process can be used to strengthen your security posture, beyond those requirements that any one cybersecurity regulation calls for.
Adopt the Requirements and the Spirit of Cybersecurity Regulation
Cybersecurity regulations are far from a complete to-do list of what organizations should do to secure their data. In practice, no regulation or framework written by a third party can keep every organization safe. While there are best practices, there is no one-size-fits-all in cybersecurity. As I recently wrote in an article for The Clearing House Banking Perspectives publication, regulatory compliance does not equal cybersecurity.
In spite of years of heavy regulation, the financial institutions that comprise the backbone of our global financial system still face great cyber risk. Some malware is designed specifically to target financial services organizations such as Dridex credential-stealing malware and the Zeus Trojan, as Cisco pointed out in its 2017 midyear cybersecurity report. In addition, factors that drive cyber risk are also competitive necessities, such as digital innovation toward more personalized customer experiences and third-party technology relationships. Current cyber defense recommendations from Financial Services Information Sharing and Analysis Center (FS-ISAC) for 2018 include employee training and regular reporting on cybersecurity to the board of directors. Yet all too often, organizations approach regulatory compliance as the end goal. This is understandable given the work needed to achieve compliance, but as a result, an organization’s cybersecurity posture isn’t being defined by the needs of the company, it’s simply reactive to the law.
While all cybersecurity regulation is hampered in its effectiveness by its need to apply to all organizations, the laws all share the same spirit: data security. In fact, a lack of data security is a much greater risk than a fine under the NYDFS cybersecurity regulation, or even a fine stemming from a violation of the GDPR. Security should be prioritized above all.
While the “Hood Is Up” Make Even Bigger Improvements
Compliance can be used as a jumping off point for additional security wins. While the “hood is up” and the organization is making the financial investment and efforts to be compliant with cybersecurity regulations, you can take advantage of this opportunity. Partner with enterprise-wide stakeholders to further mitigate risk by identifying critical assets, defining your risk tolerance level, and then measuring the exposures that stem from both a compliance standpoint as well as direct cyber risk.
By proactively defining your risk tolerance level, independent of what’s called for by law, while doing what you need to do to comply with the law, you’ll be able to better navigate cybersecurity decisions. For example, if the law requires you have a safe to protect your money, you’re not going to buy a $1000 dollar safe to protect a $100 bill. But that doesn’t mean you leave the $100 bill laying on the front desk in the reception area. Likewise, promoting an IT manager with minimal security experience to CISO in order to comply with the NYDFS cybersecurity requirement of having a CISO is a very high-risk move for even a small business, especially if the individual does not have the skills and experience to make an organization secure.
In practice, companies that prioritize the goal of being secure end up being more than compliant. Becoming cybersecurity compliant may be challenging for some organizations. Becoming more secure is unarguably hard for all. When approached together, strategically, both can become easier.