The cyber security regulations landscape is evolving; laws are proliferating. You may have completed filing for your Certification of Compliance under New York’s Department of Financial Services (NYDFS) cyber security regulation (23 NYCRR 500), only to scramble to meet the May General Data Protection Regulation (GDPR) deadline. Attaining and maintaining compliance requires more and more resources, while simultaneously, cyber security resilience itself is becoming increasingly challenging to achieve. It’s now an imperative that you multitask. The compliance process can be used to strengthen your security posture beyond those requirements that any one cyber security regulation calls for.
Adopt the Requirements AND the Spirit of Cyber Security Regulations
Cyber security regulations are far from a complete to-do list of what organizations should do to secure their data. In practice, no regulation or framework written by a third party can keep every organization safe. While there are best practices, there is no one-size-fits-all in cyber security. As I wrote in an article for The Clearing House Banking Perspectives publication, regulatory compliance does not equal cyber security.
In spite of years of heavy regulation, the financial institutions that comprise the backbone of our global financial system still face great cyber risk. Some malware is designed specifically to target financial services organizations such as Dridex credential-stealing malware and the Zeus Trojan, as Cisco pointed out in its 2017 midyear cyber security report. In addition, factors that drive cyber risk are also competitive necessities, such as digital innovation toward more personalized customer experiences and third-party technology relationships. Current cyber defense recommendations from Financial Services Information Sharing and Analysis Center (FS-ISAC) for 2018 include employee training and regular reporting on cyber security to the board of directors. Yet all too often, organizations approach regulatory compliance as the end goal. This is understandable given the work needed to achieve compliance, but as a result, an organization’s cyber security posture isn’t being defined by the needs of the company, it’s simply reactive to the law.
While cyber security regulations are hampered in effectiveness by the need to apply to all organizations, the laws all share the same spirit: data security. In fact, a lack of data security is a much greater risk than a fine under the NYDFS cyber security regulation, or even a fine stemming from a violation of the GDPR. Security should be prioritized above all.
While the “Hood Is Up” Make Even Bigger Improvements
Compliance can be used as a jumping off point for additional security wins. While the “hood is up” and the organization is making the financial investment and efforts to be compliant with cyber security regulations, you can take advantage of this opportunity. Partner with enterprise-wide stakeholders to further mitigate risk by identifying critical assets, defining your risk tolerance level, and then measuring the exposures that stem from both a compliance standpoint as well as direct cyber risk.
By proactively defining your risk tolerance level, independent of what’s called for by law, while doing what you need to do to comply with the law, you’ll be able to better navigate cyber security decisions. For example, if the law requires you have a safe to protect your money, you’re not going to buy a $1000 dollar safe to protect a $100 bill. But that doesn’t mean you leave the $100 bill laying on the front desk in the reception area. Likewise, promoting an IT manager with minimal security experience to CISO in order to comply with the NYDFS cyber security requirement of having a CISO is a very high-risk move for even a small business, especially if the individual does not have the skills and experience to make an organization secure.
In practice, companies that prioritize the goal of being secure end up being more than compliant. Attaining cyber security compliance may be challenging for some organizations. Becoming more secure is unarguably hard for all. When approached together, strategically, both can become easier.