By: Hank Thomas
CEO Strategic Cyber Ventures
Privately most CISOs will still tell you that compliance almost never means real security. Nobody knows what it takes to really secure their unique cyber terrain better than experienced CISO’s that live in the trenches of their organization every day. Many are doing amazing things with the tools and budget given to them.
One of the biggest compliance hurdles for the corporate world in 2018 is going to remain access control and identity management. Many organizations still do not have an adaptive identity management program that is fully integrated with their security team and capable of supporting their cyber incident response capabilities. Separating the two is the equivalent of not allowing your corporate security team to lock doors or change the locks when they decided it was necessary. What is needed is adaptive identity security.
Customer data privacy is also going to continue to haunt the corporate world. With the European General Data Protection Regulation (GDPR) deadline looming this May, organizations need to constantly be thinking about how all of their security controls point back to data protection. Doing so will not only help them remain compliant and avoid fines, but protect their valuable corporate brands moving forward.
In the US, New York’s Department of Financial Services (DFS) required compliance certification on or before February 15th. Most of the affected organizations and their security teams viewed the 15th as an attestation date. They must attest to compliance or the compensating controls they have put into place. Many of the compensating controls being focused on are encryption based. But organizations need to remember that they are not limited only to encryption when deploying their compensating controls. Cutting edge organizations are looking to use new and emerging security controls, like deceptive technology, to drive actionable security that also satisfies the state’s compliance checklist.
The inclusion of cybersecurity questions in DFS exams is long overdue. After all, the technology our adversaries are using to penetrate American networks is now cheap, plentiful, and increasingly in the hands of threat actors around the world. Increased cyber regulations, as long as it is smart regulation tied to real security fundamentals, are an increasingly important reminder to the business community. They will serve as a forcing function to help ensure that the data we entrust private industry with, and the functions we rely on them to provide to our society, are protected. We must ensure that future versions of regulations like this do not become overly prescriptive and force visionary security leaders to focus more on compliance rather than real adaptive security. I would be remiss without mentioning that the government’s behind these regulations must also start practicing what they are preaching to continue to be taken seriously.
Whether companies are required to comply with GDPR or become DFS compliant, more smart cybersecurity regulation is needed in a world where too many still aren’t doing enough. We must remember that businesses aren’t in business to be secure. So, if they aren’t feeling the pressure to truly increase security on their own yet, we must provide an additional incentive for them to do so as long as they remain guardians of our privacy and the critical underpinning of our national systems and democracy.