Issues, Pitfalls – and Opportunities?

Responding to Mounting Pressure for Effective Compliance Management

Throughout this document, and across the cybersecurity industry and practice domain, risk carries a negative connotation. In business, however, innovation entails a willingness to accept some risk; refusing to embark on new paths, especially in the current uncertain environment, poses risks of its own.

According to research, business appetite for risk is notably high, with executives looking to test new approaches to their business structure, product development, and interactions with both existing customers and prospects in new markets.

Though these same executives are unlikely to willingly accept additional cyber-risk as part of their appetite for innovation, new partners, markets, and processes can all affect corporate security posture in meaningful ways, especially with respect to regulations around data collection, transfers, and security. Cybersecurity professionals need to understand that, as executive appetite for business risk increases, compliance-related defense strategies must adjust accordingly.

Risk is not (that kind of) four-letter word."

Stratascale

[Source: Stratascale 2022]

As the 360° figure indicates, one can view regulatory compliance through multiple lenses. Action can stem from a desire to avoid negative outcomes or from a broader agenda aimed at continuous improvement.

An organization’s approach to compliance largely depends on whether CISOs adopt a strategic or a reactive approach to the issue. For instance, security teams that possess a fire-fighting view of compliance will have difficulty capturing upsides and practicing improvements. Conversely, teams with an expansive, far-sighted view of compliance can identify the business and technology benefits of addressing privacy concerns, adopting frameworks, and demonstrating value to business leaders.

Although compliance is complex and CISOs may have trouble connecting solutions to payback, security leaders nevertheless face mounting pressure to address regulatory concerns. Fines for regulatory violations can be material: GDPR (the European Union’s General Data Protection Regulation) infringements can cost transgressors 4% of global revenue or €20,000,000 (whichever is greater). Meanwhile, other regulatory agencies, including the Securities and Exchange Commission, have been ramping up cybersecurity-related fines. In extreme cases, agencies may bar firms from national markets if they fail to meet regulatory requirements. Boards of directors, shareholders, and regulators expect businesses to respond effectively to cyberthreats impacting privacy, data security, and other compliance requirements.

Evolving and Pervasive Threats Are a Compliance Constant

Recent issues stemming from third-party vendor relationships revealed the level of havoc improperly secured and governed supply chains can cause. Breaches in the software supply chain (such as the Kaseya and SolarWinds exploits) disrupted thousands of private- and public-sector organizations and exposed millions of peoples’ private information.

The Colonial Pipeline attack highlighted vulnerabilities in critical infrastructure and has had a different kind of supply chain impact: the White House issued Executive Order 14028, which sets regulatory standards for firms selling to the government. Seizing on this example, many private-sector firms have instituted their own policies for verifying supplier and partner security standards.

Upside: Proactively managing your supply chain relationships associates your business with best-of-breed firms in adjacent sectors.
Downside: Poor vetting of or visibility into partners can create vulnerabilities that negatively impact operations and reputation and risks potential loss of market access.
Points of exposure: Data transfer involving third parties (within the software supply chain or commercial network) expands the potential for loss and exposure. Liability for loss, potential for enforcement actions, and negative customer reactions still rest with your organization.
Potential practice improvements: Effectively securing supply chains offers important assurance (or warnings) to the business as it pursues alliances, M&A, etc.

Cybersecurity professionals need to understand that, as executive appetite for business risk increases, compliance-related defense strategies must adjust accordingly.”

Stratascale

Against this backdrop, security leaders seek ways to align cyber-risk mitigation measures with broader Enterprise Risk Management (ERM) frameworks. An integrated view of financial, regulatory, and operational risks provides proactive CISOs with opportunities to identify and emphasize common controls and technologies that address multiple objectives, deliver better protection, and increase ROI.

Upside: Ability to respond predictably and effectively to changes in regulation and in activities that may impact regulatory exposure, supporting innovation across the business.
Downside: The lack of a comprehensive understanding of how discrete changes impact current controls, policies, and tool requirements can result in vulnerabilities or a lack of responsiveness – and a rigid, non-compliant business approach can expose the organization to significant fines (e.g., via GDPR) or other punitive actions.
Points of exposure: Security teams that lack the visibility needed to identify and capture commonalities and related efficiencies will face slow and expensive change; inability to support business risk hampers corporate innovation.
Potential practice improvements: Thoroughly and systematically mapping potential regulatory exposure, required controls, and applicable options allows security leadership teams to optimize resources and more effectively communicate with leaders across the business.

The End of the "Checkbox CISO?"

In some corners of the security industry, the term “checkbox CISO” describes leaders whose primary focus is on completing compliance attestations needed by third parties – including regulators and cyber insurance providers – asserting the existence of important security controls. Experts, however, believe high-profile breaches (especially with respect to ransomware) have exposed the importance of distinguishing between compliance and security. The checkbox approach no longer satisfies regulators or underwriters and fails to provide effective protection for the enterprise.

Stratascale experts distinguish between the checkbox approach and the business-aligned CISO, whose operations demonstrate effective control. The distinction hinges on real-world effectiveness: a CISO may indicate that an organization has deployed systems to reduce or eliminate risk in a key area, but the attestation alone fails to demonstrate that the threat has been addressed.

[Source: Stratascale 2022. Incorporates insights from HBR. DPIA categories source: ICO sample DPIA template.]

A Harvard Business Review piece titled “Have Your Privacy Policies Kept up With Your Digital Transformation?” illustrates the difference between the two approaches. Regulators (and cybersecurity issuers, who are following a parallel path⁴) increasingly demand that theoretical capabilities stand up to real-world exploits. In both internal and external communications, CISOs gain needed credibility by proving their strategies deliver promised protection of data, systems, and individuals.

⁴See, for example, Andrew et al. Scrutiny ratchets up of companies' cyber insurance, practices (PropertyCasualty360, January 2022): “The New York Department of Financial Services recently charged companies under 23 NYCRR Part 500, which established cybersecurity requirements for certain financial services entities. The Federal Trade Commission also regularly investigates and takes action against companies that fail to meet promises to consumers regarding safeguarding personal information. And the Department of Justice recently announced its intent to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.”