Two cause-and-effect trends have become increasingly apparent to many industry observers over the past 10 years: (1) cybersecurity compliance and regulatory requirements will only continue to increase in coverage, stringency, and number to address the (2) multitude of threats, vulnerabilities, data handling scandals, and cyber exploits present in today's cyber landscape.
While it has become accepted that "compliance does not equal security," it's also generally accepted that there is some correlation between the two. One recent survey by SolarWinds found that over 70% of security professionals in the federal government — one of the most heavily regulated cyber domains in the world — agreed with the statement that "compliance has helped me improve my cybersecurity capabilities." But for many organizations, complying with one regulation — say, PCI — isn't always the end. Countries, states, specific industries, customer vendor management programs and nongovernmental bodies like the Payment Card Industry Security Standards Council impose regulatory requirements and compliance obligations on private sector organizations from all sorts of industries.
Beyond obvious industries that traditionally have been heavily regulated (including finance, healthcare, and critical infrastructure), cybersecurity compliance and regulatory requirements now most heavily affect technology-focused industries that depend on customer trust to sell services: namely, cloud service providers. AWS alone publicly discloses compliance with almost 35 different cybersecurity regulations and compliance frameworks, while the market for compliant cloud services generates tremendous interest because of the ongoing shift to cloud IT prevalent in many industries.
Cloud service providers have an incentive to comply with as broad and deep a set of cybersecurity compliance and regulatory requirements as feasible because of the growing recognition that cybersecurity and public disclosure of compliance certification and regulatory adherence in data-dependent and IT-rich industries is a business enabler, not necessarily an inhibitor or a cost center.
But not every industry has the same drivers, and the impact of cybersecurity regulations extends far beyond industries who drive revenue with technology. Recent changes to the Department of Defense acquisition regulations and the advent of the EU's General Data Protection Regulation, for instance, have promulgated cybersecurity requirements to sectors of the economy that traditionally had little to concern themselves with cybersecurity. And the effects of all of this are expected to continue to manifest as high-profile breaches, misuse of data, and critical security vulnerabilities continue to make front-page headlines around the world.
What cybersecurity regulatory bodies appear to be slowly inducing in the industries they regulate and oversee is the problem of audit fatigue — poor security or operational outcomes due to a preoccupation with positive compliance outcomes instead of positive security outcomes, or the exhaustion of valuable security and engineering time and resources due to audit demands. For some highly regulated organizations, this is not a new problem — the 2015 US Office of Personnel Management data breach post-mortem even attributed part of the cause of the incident to the problem of audit fatigue. This phenomenon isn't exclusive to regulation-intensive industries and technology-driven organizations; it can realistically be diagnosed at organizations that are just now encountering their first regulatory requirements around cybersecurity and are struggling to cope.
There are many proposed solutions to the problem of audit fatigue in a cybersecurity setting. Concepts such as consolidated audits and assessments, coordinated regulatory and compliance mappings, evidence-based compliance management, more effectively modeled GRC (governance, risk management, and compliance) tooling, compliance automation, and security outcome-based efforts all show promise. Regulatory bodies (most notably the federal government) have also shown progress in moving in the direction of risk-based compliance certification and continuous monitoring emphasis as opposed to point-in-time auditing, allowing organizations some much-needed flexibility when working to comply with new requirements.
For organizations that aren't experienced with cybersecurity regulatory or compliance obligations, however, there isn't necessarily a panacea to address the problem of learning to comply with compliance overhead in the first place or proactively planning for a future where the regulatory landscape becomes more stringent and more imposing. Before exploring industry solutions and techniques that are often oriented at organizations already well versed in compliance and regulatory requirements, here are a few recommendations for security professionals who are just beginning to dive into compliance and regulatory requirements that affect their organization (and some helpful reminders for those of us who have had to navigate a regulatory regime in the past):
1. Remember that security principles and core concepts haven't changed much. There are still high-impact security initiatives that can demonstrate immediate results, such as the deployment of multifactor authentication, implementation of security training, or clear definition of network security boundaries and access authorization. When in doubt, prioritize security concerns that have traditionally been considered high-impact. The CIS (previously SANS) top 20 security controls and other industry standard checklists often provide a good starting point when beginning such an undertaking.
2. Conduct your own cursory assessment of risk and regulatory concern as soon as feasible. Even in security-immature organizations, many security professionals already have a good idea of where "the bodies are buried." Taking stock of processes, norms, data stores, access structures, and systems that are considered high risk can formalize this implicit understanding of what's at stake and which efforts to prioritize.
3. Whether or not you're subject to regulatory or compliance pressure (but especially if you are), develop a 1-/3-/5-year compliance road map to augment the existing IT or security investment and implementation road map. Having a plan of action not only provides directional clarity to internal management stakeholders who may just be learning of what impact a new requirement has on the underlying business, it also provides external regulatory bodies and auditors assurance that you are taking your obligations seriously and has been known to reduce pressure on organizations that can't feasibly comply with a particular obligation within the expected time frame.