Perimeter

1/4/2019
10:30 AM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Managing Security in Today's Compliance and Regulatory Environment

Instead of losing sight of the cybersecurity forest as we navigate the compliance trees, consolidate and simplify regulatory compliance efforts to keep your eyes on the security prize.

Two cause-and-effect trends have become increasingly apparent to many industry observers over the past 10 years: (1) cybersecurity compliance and regulatory requirements will only continue to increase in coverage, stringency, and number to address the (2) multitude of threats, vulnerabilities, data handling scandals, and cyber exploits present in today's cyber landscape.

While it has become accepted that "compliance does not equal security," it's also generally accepted that there is some correlation between the two. One recent survey by SolarWinds found that over 70% of security professionals in the federal government — one of the most heavily regulated cyber domains in the world — agreed with the statement that "compliance has helped me improve my cybersecurity capabilities." But for many organizations, complying with one regulation — say, PCI — isn't always the end. Countries, states, specific industries, customer vendor management programs and nongovernmental bodies like the Payment Card Industry Security Standards Council impose regulatory requirements and compliance obligations on private sector organizations from all sorts of industries.

Beyond obvious industries that traditionally have been heavily regulated (including finance, healthcare, and critical infrastructure), cybersecurity compliance and regulatory requirements now most heavily affect technology-focused industries that depend on customer trust to sell services: namely, cloud service providers. AWS alone publicly discloses compliance with almost 35 different cybersecurity regulations and compliance frameworks, while the market for compliant cloud services generates tremendous interest because of the ongoing shift to cloud IT prevalent in many industries.

Cloud service providers have an incentive to comply with as broad and deep a set of cybersecurity compliance and regulatory requirements as feasible because of the growing recognition that cybersecurity and public disclosure of compliance certification and regulatory adherence in data-dependent and IT-rich industries is a business enabler, not necessarily an inhibitor or a cost center.

But not every industry has the same drivers, and the impact of cybersecurity regulations extends far beyond industries who drive revenue with technology. Recent changes to the Department of Defense acquisition regulations and the advent of the EU's General Data Protection Regulation, for instance, have promulgated cybersecurity requirements to sectors of the economy that traditionally had little to concern themselves with cybersecurity. And the effects of all of this are expected to continue to manifest as high-profile breaches, misuse of data, and critical security vulnerabilities continue to make front-page headlines around the world.

What cybersecurity regulatory bodies appear to be slowly inducing in the industries they regulate and oversee is the problem of audit fatigue — poor security or operational outcomes due to a preoccupation with positive compliance outcomes instead of positive security outcomes, or the exhaustion of valuable security and engineering time and resources due to audit demands. For some highly regulated organizations, this is not a new problem — the 2015 US Office of Personnel Management data breach post-mortem even attributed part of the cause of the incident to the problem of audit fatigue. This phenomenon isn't exclusive to regulation-intensive industries and technology-driven organizations; it can realistically be diagnosed at organizations that are just now encountering their first regulatory requirements around cybersecurity and are struggling to cope

There are many proposed solutions to the problem of audit fatigue in a cybersecurity setting. Concepts such as consolidated audits and assessments, coordinated regulatory and compliance mappings, evidence-based compliance management, more effectively modeled GRC (governance, risk management, and compliance) tooling, compliance automation, and security outcome-based efforts all show promise. Regulatory bodies (most notably the federal government) have also shown progress in moving in the direction of risk-based compliance certification and continuous monitoring emphasis as opposed to point-in-time auditing, allowing organizations some much-needed flexibility when working to comply with new requirements.

Recommendations
For organizations that aren't experienced with cybersecurity regulatory or compliance obligations, however, there isn't necessarily a panacea to address the problem of learning to comply with compliance overhead in the first place or proactively planning for a future where the regulatory landscape becomes more stringent and more imposing. Before exploring industry solutions and techniques that are often oriented at organizations already well versed in compliance and regulatory requirements, here are a few recommendations for security professionals who are just beginning to dive into compliance and regulatory requirements that affect their organization (and some helpful reminders for those of us who have had to navigate a regulatory regime in the past):

1. Remember that security principles and core concepts haven't changed much. There are still high-impact security initiatives that can demonstrate immediate results, such as the deployment of multifactor authentication, implementation of security training, or clear definition of network security boundaries and access authorization. When in doubt, prioritize security concerns that have traditionally been considered high-impact. The CIS (previously SANS) top 20 security controls and other industry standard checklists often provide a good starting point when beginning such an undertaking.

2. Conduct your own cursory assessment of risk and regulatory concern as soon as feasible. Even in security-immature organizations, many security professionals already have a good idea of where "the bodies are buried." Taking stock of processes, norms, data stores, access structures, and systems that are considered high risk can formalize this implicit understanding of what's at stake and which efforts to prioritize.

3. Whether or not you're subject to regulatory or compliance pressure (but especially if you are), develop a 1-/3-/5-year compliance road map to augment the existing IT or security investment and implementation road map. Having a plan of action not only provides directional clarity to internal management stakeholders who may just be learning of what impact a new requirement has on the underlying business, it also provides external regulatory bodies and auditors assurance that you are taking your obligations seriously and has been known to reduce pressure on organizations that can't feasibly comply with a particular obligation within the expected time frame.

Related Content:

Andrew Williams is the product director for the Cyber Risk Advisory and FedRAMP Assessment Services teams at Coalfire.  As product director, Andrew oversees Coalfire's sales, delivery, and professional development strategy for all advisory and assessment personnel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.