Keeping Up With a Moving Regulatory Landscape
Steve Durbin
As pressure from regulatory compliance increases, the modern Chief Information Security Officer (CISO) must take an increasingly integrated and well-rounded approach to information risk management. By applying strong information security measures, the CISO is more likely to stay ahead of regulatory mandates.
There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions, if any, are identical in their regulations, privacy legislation, fraud and breach prevention. Traditional data protection methods may be tough to apply or unusable when it comes to storing or harnessing data in the cloud. Unless you are constantly monitoring the rules, and put tools in place to do so, you might not only be compromising your information, but also your corporate responsibility.
Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, businesses need to treat privacy as both a compliance and business risk issue, so as to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.
Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.
Stress the Importance of Cyber Resilience
Businesses are operating in an increasingly cyber-enabled world these days and traditional risk management isn’t responsive enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling.
Cyber resilience recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
Organizations of all sizes need to make sure they are fully prepared to deal with attacks on their valuable data and reputations. The faster you can respond to these problems, the better your outcomes will be.
Here are a few steps that businesses should implement to better prepare themselves:
- Re-assess the risks to your organization and its information from the inside out
- Change your thinking about threats
- “It couldn’t happen here” is not a great backup plan
- Implement a cyber-resilience team
- Put a recovery plan in place
- Revise cyber security arrangements
- Focus on the basics
- People and technology
- Be ready to provide proactive support to business initiatives in order to protect your reputation and minimize brand damage
- Prepare for the future
As the world’s businesses, governments, and economies grow more interdependent, knowing how to build resilient organizations and nimble incident response will be vital to more than cyber security. We no longer hide behind impenetrable walls, but operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.
Four Actions for Better Planning
Each and every day, demand for cloud services increases as the benefits of cloud services change the way organizations manage their data and use IT.
Here are four actions that organizations can take to better prepare:
- Engage in cross business, multi-stakeholder discussions to identify cloud arrangements
- Understand clearly which legal jurisdictions govern your organizations information
- Adapt existing policies and procedures to engage with the business
- Align the security function with the organizations approach to risk management for cloud services
With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.
But remember: your privacy obligations don’t change when information moves into the cloud. This means that most organizations’ efforts to manage privacy and information risk can be applied to cloud-based systems with only minor modifications, once the cloud complexity is understood.
This can provide a low-cost starting point to manage cloud and privacy risk.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.