Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

Risk and Regulation: Preparing for the Era of Cybersecurity Compliance

The next twelve months will see the implementation of several regulations designed to improve cybersecurity standards across various industries.

As cybersecurity professionals, we talk a lot about risk. In a world where only the most naïve would suggest that we can prevent all cyber-attacks, we must make sure we understand which cyber threats have the highest risk of becoming reality, and allocate our security resources accordingly. Indeed, this is a key use case for threat intelligence platforms, which help companies identify and understand threats in the context of their business. In our hyper-connected technology environment, if everyone does this effectively, cybersecurity standards will rise, and collective risk will be reduced.

However, cybersecurity performance varies significantly between companies, industries, and countries, which can result in uncontrolled cyber risk. This is particularly problematic when it concerns the digital networks of organizations supplying critical national infrastructure, finance and healthcare, and all the other sectors on which modern society depends. When a cyber-attack has the potential to cause a significant threat to life and disrupt the stability of society, the risk can’t be ignored.

The urgency of addressing cyber risk has swung squarely into the sights of governments and international authorities, and regulation is the result.

Rising risk ramps up cybersecurity regulation

The next twelve months will see the implementation of several regulations designed to improve cybersecurity standards across various industries. Many of these also require in-scope companies to provide assurance of the cybersecurity performance of key entities in their supply chain.

Two of these regulations cover the EU – the NIS2 Directive covers companies in critical industries and their supply chains, while the closely related Digital Operational Resilience Act (DORA) covers financial institutions and their ICT suppliers. Despite their EU origin, however, the inclusion of supply chain companies in these regulations means their effects will be felt outside the borders of Europe. Both directives set strict requirements for a risk management-based approach to cybersecurity and the requirement to report incidents in a timely manner. In this, they echo the SEC’s recently adopted rules “requiring registrants to disclose material cybersecurity incidents and to disclose on an annual basis material information regarding their cybersecurity risk management strategy.

Cybersecurity accountability reaches new heights

What’s different about some of these new regulations is the level of accountability, and the enforcement powers provided to authorities in the event of non-compliance.

Advertisement. Scroll to continue reading.

In the past, regulations have been criticized for having a lack of “teeth”, but there is a clear move here to allocate cybersecurity responsibility outside the traditional domain of the IT department. Senior leaders who preside over non-compliant cybersecurity programs now face being temporarily prohibited from executing managerial functions within their business. They may also be publicly named and can be held legally liable for cybersecurity failings. This, together with the multi-million dollar fines that can be levied for breaches, has made cybersecurity effectiveness and assurance a board-level concern.

We have been in similar territory before. When corporate scandals shook the financial sector in the early 2000s, the Sarbanes-Oxley Act 2002 was introduced to restore trust and improve financial accountability. Its Section 302 provision requires senior corporate officers to provide written certification that the company’s financial statements comply with SEC disclosure requirements. Directors who sign statements they know to be false face criminal penalties.

Under NIS2, management bodies of essential and important entities are required to “approve the cybersecurity risk management measures taken by their organization in order to comply” with the directive. They must oversee its implementation and “can be held liable for infringements”. Regulators hope this leads to a SOX-like effect.

Challenges connecting compliance demands to operational requirements

Despite the goal of increasing accountability at the highest levels, there seems to be a challenge in getting all the different stakeholders involved in achieving compliance into alignment. Our experience to date is that the regulations’ multidisciplinary nature is causing uncertainty over where responsibility for leading the response should lie. We’ve talked to CISOs who are acutely aware that the regulations will impact their cybersecurity program but are struggling to get a lead from the governance, risk, and compliance (GRC) teams responsible for setting the organization’s risk tolerance levels. In contrast, some SecOps teams are telling us that regulatory compliance is not their responsibility, despite the regulations mandating security practices and minimum performance levels required.

Successful compliance will require a multi-aspect approach with CISOs and operational teams working closely with risk and compliance specialists to fully understand cybersecurity risk and the tools that can remediate it. This is an excellent opportunity for CISOs and security teams to establish a strong profile with the board and legal teams as they design programs that deliver effective cybersecurity proportionate to risk and provide the assurance needed by management bodies.

Preparing for cybersecurity regulation compliance – taking a threat intelligence-informed approach

As senior leaders seek assurance over the effectiveness of their cybersecurity program and aim to manage cyber risk, threat intelligence has a central role to play.  

By collecting, collating, and prioritizing threat intelligence in the context of the business, decision-makers can better understand where risk resides and how to manage it. This leads to better resource allocation and a stronger defensive posture.

Incident response is another regulatory focus area for both NIS2 and DORA. Companies are required to report significant incidents within as little as 24 hours, including as much information about the event as possible. This must be followed by subsequent reports detailing indicators of compromise, severity, and likely impacts. Here threat intelligence gathering is critical to ensure these reports are accurate. Cybersecurity automation via a threat intelligence platform can play a major role in automating aspects of incident response, such as setting up notifications for relevant authorities and powering investigation and evidence collection activities.  

Another common feature of recent regulations is their focus on information sharing and collaboration. As authorities seek to strengthen their collective hand against malicious actors, they recognize the importance of pooling threat information. The more organizations leverage threat intelligence, the more analysis will take place.

When this analysis is shared between businesses, industries, and authorities it helps to build a rising tide of competence and awareness that will achieve the regulators’ goals.

Why we should think positively about cybersecurity compliance

I expect to see an increased focus on cybersecurity risk management resulting from these regulations. And, given the borderless nature of cyberattacks, I believe that regulations will cross borders in a similar way. Cybersecurity is everyone’s responsibility, and these regulations are structured to reflect that.

However, I don’t believe we should view them with the same concern for compliance burden as Sarbanes-Oxley is viewed in the corporate sector. We have the tools and analytics capabilities to be able to obtain good visibility over cybersecurity risk and performance, and putting effective cybersecurity programs in place is a business-critical benefit, not just a compliance exercise. As we enter the era of cybersecurity compliance, we should do so with a positive mindset that will help these regulations achieve their goals for the benefit and protection of us all.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...