Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/4/2019
10:30 AM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Managing Security in Today's Compliance and Regulatory Environment

Instead of losing sight of the cybersecurity forest as we navigate the compliance trees, consolidate and simplify regulatory compliance efforts to keep your eyes on the security prize.

Two cause-and-effect trends have become increasingly apparent to many industry observers over the past 10 years: (1) cybersecurity compliance and regulatory requirements will only continue to increase in coverage, stringency, and number to address the (2) multitude of threats, vulnerabilities, data handling scandals, and cyber exploits present in today's cyber landscape.

While it has become accepted that "compliance does not equal security," it's also generally accepted that there is some correlation between the two. One recent survey by SolarWinds found that over 70% of security professionals in the federal government — one of the most heavily regulated cyber domains in the world — agreed with the statement that "compliance has helped me improve my cybersecurity capabilities." But for many organizations, complying with one regulation — say, PCI — isn't always the end. Countries, states, specific industries, customer vendor management programs and nongovernmental bodies like the Payment Card Industry Security Standards Council impose regulatory requirements and compliance obligations on private sector organizations from all sorts of industries.

Beyond obvious industries that traditionally have been heavily regulated (including finance, healthcare, and critical infrastructure), cybersecurity compliance and regulatory requirements now most heavily affect technology-focused industries that depend on customer trust to sell services: namely, cloud service providers. AWS alone publicly discloses compliance with almost 35 different cybersecurity regulations and compliance frameworks, while the market for compliant cloud services generates tremendous interest because of the ongoing shift to cloud IT prevalent in many industries.

Cloud service providers have an incentive to comply with as broad and deep a set of cybersecurity compliance and regulatory requirements as feasible because of the growing recognition that cybersecurity and public disclosure of compliance certification and regulatory adherence in data-dependent and IT-rich industries is a business enabler, not necessarily an inhibitor or a cost center.

But not every industry has the same drivers, and the impact of cybersecurity regulations extends far beyond industries who drive revenue with technology. Recent changes to the Department of Defense acquisition regulations and the advent of the EU's General Data Protection Regulation, for instance, have promulgated cybersecurity requirements to sectors of the economy that traditionally had little to concern themselves with cybersecurity. And the effects of all of this are expected to continue to manifest as high-profile breaches, misuse of data, and critical security vulnerabilities continue to make front-page headlines around the world.

What cybersecurity regulatory bodies appear to be slowly inducing in the industries they regulate and oversee is the problem of audit fatigue — poor security or operational outcomes due to a preoccupation with positive compliance outcomes instead of positive security outcomes, or the exhaustion of valuable security and engineering time and resources due to audit demands. For some highly regulated organizations, this is not a new problem — the 2015 US Office of Personnel Management data breach post-mortem even attributed part of the cause of the incident to the problem of audit fatigue. This phenomenon isn't exclusive to regulation-intensive industries and technology-driven organizations; it can realistically be diagnosed at organizations that are just now encountering their first regulatory requirements around cybersecurity and are struggling to cope

There are many proposed solutions to the problem of audit fatigue in a cybersecurity setting. Concepts such as consolidated audits and assessments, coordinated regulatory and compliance mappings, evidence-based compliance management, more effectively modeled GRC (governance, risk management, and compliance) tooling, compliance automation, and security outcome-based efforts all show promise. Regulatory bodies (most notably the federal government) have also shown progress in moving in the direction of risk-based compliance certification and continuous monitoring emphasis as opposed to point-in-time auditing, allowing organizations some much-needed flexibility when working to comply with new requirements.

Recommendations
For organizations that aren't experienced with cybersecurity regulatory or compliance obligations, however, there isn't necessarily a panacea to address the problem of learning to comply with compliance overhead in the first place or proactively planning for a future where the regulatory landscape becomes more stringent and more imposing. Before exploring industry solutions and techniques that are often oriented at organizations already well versed in compliance and regulatory requirements, here are a few recommendations for security professionals who are just beginning to dive into compliance and regulatory requirements that affect their organization (and some helpful reminders for those of us who have had to navigate a regulatory regime in the past):

1. Remember that security principles and core concepts haven't changed much. There are still high-impact security initiatives that can demonstrate immediate results, such as the deployment of multifactor authentication, implementation of security training, or clear definition of network security boundaries and access authorization. When in doubt, prioritize security concerns that have traditionally been considered high-impact. The CIS (previously SANS) top 20 security controls and other industry standard checklists often provide a good starting point when beginning such an undertaking.

2. Conduct your own cursory assessment of risk and regulatory concern as soon as feasible. Even in security-immature organizations, many security professionals already have a good idea of where "the bodies are buried." Taking stock of processes, norms, data stores, access structures, and systems that are considered high risk can formalize this implicit understanding of what's at stake and which efforts to prioritize.

3. Whether or not you're subject to regulatory or compliance pressure (but especially if you are), develop a 1-/3-/5-year compliance road map to augment the existing IT or security investment and implementation road map. Having a plan of action not only provides directional clarity to internal management stakeholders who may just be learning of what impact a new requirement has on the underlying business, it also provides external regulatory bodies and auditors assurance that you are taking your obligations seriously and has been known to reduce pressure on organizations that can't feasibly comply with a particular obligation within the expected time frame.

Related Content:

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire's services, delivery, and talent are ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.