Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/4/2019
10:30 AM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Managing Security in Today's Compliance and Regulatory Environment

Instead of losing sight of the cybersecurity forest as we navigate the compliance trees, consolidate and simplify regulatory compliance efforts to keep your eyes on the security prize.

Two cause-and-effect trends have become increasingly apparent to many industry observers over the past 10 years: (1) cybersecurity compliance and regulatory requirements will only continue to increase in coverage, stringency, and number to address the (2) multitude of threats, vulnerabilities, data handling scandals, and cyber exploits present in today's cyber landscape.

While it has become accepted that "compliance does not equal security," it's also generally accepted that there is some correlation between the two. One recent survey by SolarWinds found that over 70% of security professionals in the federal government — one of the most heavily regulated cyber domains in the world — agreed with the statement that "compliance has helped me improve my cybersecurity capabilities." But for many organizations, complying with one regulation — say, PCI — isn't always the end. Countries, states, specific industries, customer vendor management programs and nongovernmental bodies like the Payment Card Industry Security Standards Council impose regulatory requirements and compliance obligations on private sector organizations from all sorts of industries.

Beyond obvious industries that traditionally have been heavily regulated (including finance, healthcare, and critical infrastructure), cybersecurity compliance and regulatory requirements now most heavily affect technology-focused industries that depend on customer trust to sell services: namely, cloud service providers. AWS alone publicly discloses compliance with almost 35 different cybersecurity regulations and compliance frameworks, while the market for compliant cloud services generates tremendous interest because of the ongoing shift to cloud IT prevalent in many industries.

Cloud service providers have an incentive to comply with as broad and deep a set of cybersecurity compliance and regulatory requirements as feasible because of the growing recognition that cybersecurity and public disclosure of compliance certification and regulatory adherence in data-dependent and IT-rich industries is a business enabler, not necessarily an inhibitor or a cost center.

But not every industry has the same drivers, and the impact of cybersecurity regulations extends far beyond industries who drive revenue with technology. Recent changes to the Department of Defense acquisition regulations and the advent of the EU's General Data Protection Regulation, for instance, have promulgated cybersecurity requirements to sectors of the economy that traditionally had little to concern themselves with cybersecurity. And the effects of all of this are expected to continue to manifest as high-profile breaches, misuse of data, and critical security vulnerabilities continue to make front-page headlines around the world.

What cybersecurity regulatory bodies appear to be slowly inducing in the industries they regulate and oversee is the problem of audit fatigue — poor security or operational outcomes due to a preoccupation with positive compliance outcomes instead of positive security outcomes, or the exhaustion of valuable security and engineering time and resources due to audit demands. For some highly regulated organizations, this is not a new problem — the 2015 US Office of Personnel Management data breach post-mortem even attributed part of the cause of the incident to the problem of audit fatigue. This phenomenon isn't exclusive to regulation-intensive industries and technology-driven organizations; it can realistically be diagnosed at organizations that are just now encountering their first regulatory requirements around cybersecurity and are struggling to cope

There are many proposed solutions to the problem of audit fatigue in a cybersecurity setting. Concepts such as consolidated audits and assessments, coordinated regulatory and compliance mappings, evidence-based compliance management, more effectively modeled GRC (governance, risk management, and compliance) tooling, compliance automation, and security outcome-based efforts all show promise. Regulatory bodies (most notably the federal government) have also shown progress in moving in the direction of risk-based compliance certification and continuous monitoring emphasis as opposed to point-in-time auditing, allowing organizations some much-needed flexibility when working to comply with new requirements.

Recommendations
For organizations that aren't experienced with cybersecurity regulatory or compliance obligations, however, there isn't necessarily a panacea to address the problem of learning to comply with compliance overhead in the first place or proactively planning for a future where the regulatory landscape becomes more stringent and more imposing. Before exploring industry solutions and techniques that are often oriented at organizations already well versed in compliance and regulatory requirements, here are a few recommendations for security professionals who are just beginning to dive into compliance and regulatory requirements that affect their organization (and some helpful reminders for those of us who have had to navigate a regulatory regime in the past):

1. Remember that security principles and core concepts haven't changed much. There are still high-impact security initiatives that can demonstrate immediate results, such as the deployment of multifactor authentication, implementation of security training, or clear definition of network security boundaries and access authorization. When in doubt, prioritize security concerns that have traditionally been considered high-impact. The CIS (previously SANS) top 20 security controls and other industry standard checklists often provide a good starting point when beginning such an undertaking.

2. Conduct your own cursory assessment of risk and regulatory concern as soon as feasible. Even in security-immature organizations, many security professionals already have a good idea of where "the bodies are buried." Taking stock of processes, norms, data stores, access structures, and systems that are considered high risk can formalize this implicit understanding of what's at stake and which efforts to prioritize.

3. Whether or not you're subject to regulatory or compliance pressure (but especially if you are), develop a 1-/3-/5-year compliance road map to augment the existing IT or security investment and implementation road map. Having a plan of action not only provides directional clarity to internal management stakeholders who may just be learning of what impact a new requirement has on the underlying business, it also provides external regulatory bodies and auditors assurance that you are taking your obligations seriously and has been known to reduce pressure on organizations that can't feasibly comply with a particular obligation within the expected time frame.

Related Content:

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire's services, delivery, and talent are ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.