In the coming months, data protection laws will continue to evolve and strengthen, requiring organizations to refine their data protection policies and demonstrate how they safeguard customers' information. As part of the changing mandates, cybersecurity frameworks will also refine customer data retention regulations.
Understanding the ongoing changes to data privacy regulations is challenging enough for chief information security officers (CISOs) and their teams. Implementing the needed changes as they occur only adds complexity and confusion. This article explores changes to consumer privacy regulations and describes ways companies can streamline their compliance efforts.
This year, the US Department of Defense is expected to enhance its national cybersecurity standard for all contractors working with the federal supply chain and handling controlled unclassified information (CUI), and mandate Cybersecurity Maturity Model Certification (CMMC) program requirements. While this mandate does not directly affect many enterprises, the ruling will certainly affect other organizations that conduct indirect business with the federal supply chain, as well as those in the private market, requiring them to meet changing data protection laws that are pivotal to businesses' daily operations.
Additionally, the California Consumer Privacy Act (CCPA), one of the country’s more stringent consumer privacy laws, will introduce enhanced rights for individuals wishing to change their personal data or opt out of marketing and third-party communications — an important consideration given the many recent third-party data breaches. Businesses must therefore establish more rigorous policies and processes to protect their systems and the critical data stored on them, and ensure those processes are well-understood and enforced.
Prescriptive cyber regulations around data protection can be an asset to businesses. They help strengthen their brand reputation, given their focus on protecting user data and keeping the company safe from attacks. But because increasing regulation further stresses already constrained security, risk, and IT resources and steepens the learning curve, the negative aspects of these changes often can overshadow the benefits they offer.
Proactive vs. Reactive Measures: Which Approach Is More Effective?
As the frameworks accompanying cybersecurity mandates and compliance guidelines are also refined, many now encourage (and sometimes mandate) that businesses transition to a proactive, risk-based approach that establishes their liability based on the type of data they collect and how it's used. At the same time, many data-centric cybersecurity frameworks are pushing the industry toward proactive prioritization and risk-ranking gap analysis to enable an accurate measure of system risk while reducing required resources and time for compliance. This collision of data privacy concerns and the associated cybersecurity framework regulations are overwhelming for companies trying to strengthen their security and compliance posture.
Proactive risk prioritization based on comprehensive, contextual, and historical threat intelligence coupled with active control over the enterprise can alleviate many of the compliance headaches CISOs face. To achieve this, I recommend that CISOs and their teams take the following steps:
1. Understand how your enterprise is using data. The growing volume of data that companies collect brings a greater need for asset-aligned contextual cyber intelligence that reveals what data is needed for day-to-day operations and how that data is used. Technology solutions are available that facilitate comprehension, but gaining an accurate understanding requires an audit approach. CISOs and other leaders must consider and define the company's BAU (business as usual) processes to understand what data is needed for standard day-to-day operations. By doing this, companies can set a solid policy around what and how they use certain data types.
2. Conduct a thorough risk assessment. A full-scale cybersecurity risk assessment weighs risks both within the organization and across the supply chain against the effectiveness of core security controls that protect data. This step is critical given the high-profile software supply chain vulnerabilities in recent years. Incidents like the notorious SolarWinds breach, and many others like it, provide evidence of the importance of paying close attention to third-party risks to secure an organization's systems, networks, and data.
3. Quantify cyber-risks. Typical enterprise risk assessments prioritize risks with generic "high," "medium," or "low" ratings, pointing to the likelihood of that risk becoming an attack and the resulting impact. However, more is needed to quantify a company's risk. For example, where does the company have a presence online? How widespread are its vulnerabilities? What assets are at risk? Also, how resilient is the organization in maintaining business as usual if an attack occurs? How much would an attack cost the enterprise?
A quality threat intelligence solution identifies and enriches measurement of an enterprise's vulnerabilities and helps entities safely prioritize which gaps to address. [Note: The author's company is one of many that offer threat intelligence services.] Such threat intelligence can help security teams understand which business sectors are more at risk and the organization’s posture, and whether cybercriminals are targeting a particular business or software, including their own. Any area of a business or its suppliers can be a target, such as a retailer's point-of-sale systems. Threat intelligence can reveal hundreds of posts on Dark Web forums about plans to target these critical systems, for example, and alert the retailer to tighten security and prevent attackers from gaining access to business systems or customer data well before an active attack begins.
4. Define a measurable, consumable security awareness policy. Measuring the effectiveness of a security awareness program requires knowing if employees, business partners, third-party suppliers, and others fully understand and follow the company's security policies. Keeping track of cyber incidents and how they are handled can reveal how well the company communicates, trains, and enforces these policies to people on the front line, a company’s greatest vulnerability. Additionally, a robust security awareness policy requires the organization and its vendors’ cooperation, which should be clearly articulated as part of any formalized agreement.
As the amount of data companies consume and process continues to grow and malicious actors find more sophisticated ways to access that data, tightening data privacy regulations makes perfect sense. Yet the added burden of continually meeting ever-changing compliance requirements can seem near impossible to over-stretched teams.
By following these steps and putting proactive intelligence and analysis in place, companies and their employees, partners, and customers all come out ahead — which is good for business and good for society.