Recommendations

Mapping the path through the regulatory quagmire

The path through the regulatory quagmire – like the quagmire itself – is complex. However, CISOs can effectively align resources to ensure that compliance risk does not become a four-letter word within their organizations by:

Connecting essential people, process, and technology resources.
Following a path defined by collaboration, organization, and optimization.
Identifying issues and responses that shape firm-level strategy.

Stratascale urges CISOs to consider the following eight points as they plot their compliance strategy:

Understand not just the what and why, but also the who.
Treat regulatory compliance as a continuous change management process.
Know what needs to be protected.
Identify everything, address what’s most important.
Foster a blameless culture.
View compliance as a foundation of growth.
Lead with persuasion, not edict.
Don’t let the cure become worse than the disease.

Our research yielded the following guidance on these issues:

Understand not just the what and why, but also the who. At root, neither security teams nor IT departments own cyber-risk. Regulations apply to the organization; reputational risk is a corporate issue, not a specific class of cyberthreat. Individual liability attaches to the board, or potentially, the CEO. Cyberthreats bubble up to the CISO, but the entire organization needs to commit to building an effective, responsible approach to the regulatory quagmire.

Treat regulatory compliance as a continuous change management process. The process should focus on the business, not simply on the “shields” deployed against vulnerabilities. The security team and IT leadership need to move past technology to view compliance as a business issue; to view the key relationships as expanding well beyond the realm of APIs to the corridors in which relationships drive corporate behavior.

Know what needs to be protected. A focus on understanding ”what are we trying to protect?” delivers relevant guidance in virtually all cybersecurity contexts. This knowledge is especially applicable when analyzing exposure across a vast, complex, and ever-changing set of regulatory requirements. Building an understanding of defense priorities helps the CISO deploy resources to areas of greatest need.

Identify everything, address what’s most important. As a corollary to the above, security teams should acknowledge that they will not mitigate every regulatory-related threat. For a major corporation, the investment needed to achieve universal mitigation would far outstrip its benefit. Enterprises that can articulate the full spectrum of potential risks, identify threats as they apply to those risks, and then mitigate those identified as business priorities stand a far better chance of achieving long-term acceptance and viability than those that fail to prioritize. CISOs need to have adequate reserves available if an attacker (or simply a change in regulations or enforcement priorities) triggers a code red situation.

Foster a blameless culture. When asked to identify the characteristics that most readily correlate to successfully navigating the regulatory quagmire, experts contributing to this report indicated that effective strategies aren’t the property of very large firms or businesses within a specific industry sector. Instead, factors like “maturity” and “mindset” provide important indications of efficacy.

In particular, security leaders should foster a culture that recognizes the likelihood of flaws during the pursuit of innovation, and incentivizes staff to identify current or potential vulnerabilities and broken processes. Blame-oriented cultures can cause staff to sweep issues under the rug. Employees may avoid highlighting potential problems that could arise from change, or avoid changing sub-optimal but tested approaches altogether.

CISOs that establish mature security operations (potentially, identifiable through their use of frameworks) can effectively implement controls that adapt to shifts in operations or regulations. These security leaders will better protect their organizations from compliance hazards than peers lacking a systematic and cultural approach.

View compliance as a foundation of growth. The ability to sustain value – from preventing fines and reputational damage to maintaining access to markets that expel suppliers in breach of regulatory requirements – stabilizes the foundation of future growth. Addressing the regulatory quagmire isn’t as sexy as launching new digital products, but it still contributes to the bottom line.

Lead with persuasion, not edict. Even the most patient CISOs may eventually want to throw up their hands and justify an unpopular stricture by saying, “Because we have to – because you have to.” Don’t give into this temptation. Not only is it unpersuasive, but it is also often wrong, as many business managers deviate from compliance guidance without facing severe penalties. Lead by persuasion rather than fiat: empower and equip people to make the right decisions.

Don’t let the cure become worse than the disease. Often, the majority of breach impact stems from the response rather than the breach itself. A good team, with strong collaboration built through regular interaction and a sound battle plan, plays an essential part in defending against regulatory/compliance risk. Running regular tabletop exercises will identify gaps and clarify your response plan, roles, and responsibilities while ensuring team members are ready to execute. In this case, an ounce of interactive testing is worth more than a pound of shelfware documentation.

What do you see when you look in a mirror?

In preparing this document, Stratascale conducted several expert interviews and reviewed dozens of third-party source materials. One third-party piece, “The Unsolved Opportunities for Cybersecurity Providers,”⁶ functions as a kind of mirror for buyers: McKinsey’s sell-side guidance highlights important issues for providers while simultaneously illustrating what buy-side executives may see when examining their ability to respond to the regulatory quagmire. This table synthesizes advice directed at vendors in 10 categories and adds Stratascale’s observations on implications for buyers arising from the category description.

⁶Aiyer, Bharath, et al. “The Unsolved Opportunities for Cybersecurity Providers.” McKinsey & Company, McKinsey & Company, 6 Jan. 2022.

[Source: Stratascale 2022]