Cybersecurity threats have significantly increased since March of 2020 when much of the economy was forced online to help us cope with the Covid crisis, including a number of high profile attacks by international criminal groups and adversarial governments. This past June, FBI Director Christopher Wray compared the danger of ransomware attacks on US firms by Russian criminal groups to the 9/11 terrorist attacks. When Biden and Putin met in Geneva a few weeks later, cyberweapons control was at the top of the agenda, a spot previously occupied by the control of nuclear weapons.
It’s been clear for a while that in a world increasingly governed by digital data and transactions, our existing cybersecurity methods have been far from adequate. To learn more about this very important area, earlier this year I joined CAMS, MIT’s interdisciplinary cybersecurity initiative, and started attending its research seminars.
At a recent seminar, I heard a very interesting presentation on Compliance and Cybersecurity by CAMS research affiliate Angelica Marotta. Her seminar was based on Convergence and divergence of regulatory compliance and cybersecurity, a recent paper she co-authored with MIT professor Stuart Madnick.
Marotta’s opening slide included succinct definitions of cybersecurity and compliance that highlight their different objectives:
- Cybersecurity is responsible for the “internal procedures established by a company to improve the security of its operations.”
- Compliance is responsible for the “external regulations established by governments or industries groups that must be met.”
Today, in order to be successful, every organization needs to be both compliant and cyber secure. But, the extent to which compliance helps or hinder security for an organization continues to be a very important research question.
Regulatory compliance is a broad topic which varies by industry and geographical location. “Compliance regarding cybersecurity is a relatively young discipline that focuses on the processes and behaviors of the people aimed at preventing and reducing risks in different areas and industries,” wrote Marotta and Madnick in their paper. “The need for cybersecurity regulations mainly stems from the desire for certainty in what is perceived as an unpredictable field.”
“The past years have been very critical for many companies with respect to their cybersecurity needs,” they added. “Recent cyber events - in various sectors - have exposed circumstances where poor regulatory management and ineffective regulations have contributed to significant negative consequences. Increased awareness has driven conversations about the importance of being compliant with current cybersecurity standards.”
Being compliant isn’t necessarily the same as being secure. Compliance, by itself, doesn’t replace an effective cybersecurity program. To understand the impact of compliance factors on cybersecurity across different sectors, Marotta and Madnick conducted eight case studies of US and European companies from 5 industries: financial services, biopharmaceutical, utilities, electricity, and communications. The eight case studies and their research methodology are described in detail in the paper.
Data for these case studies was collected through interviews with C-suite member, subject matter experts, and employees across different parts of the organization, as well as with regulators, to capture their perceptions and experiences. The interviews provided a perspectives on procedures and issues from the points of view of both regulators and the organizations being regulated.
As a first step for each case study, they identified the key stakeholders who can affect or are affected by the regulatory system. While there are several different types of stakeholders, they generally fall into one of six categories:
- Legal and compliance includes both the “internal enforcers” who deal with compliance management oversight, legal obligation, internal audits, and policy development; and the “external enforcers” such as regulators, governments, industry associations, external auditors, and financial institutions.
- Leadership and governance includes the C-suite members who deal with the alignment of compliance requirements with business needs, organizational risk, processes, projects, and people.
- Security professionals help organizations translate compliance into actual security, and include CISOs, IT security managers, IT security analysts, IT support managers, and risk managers.
- Financial professionals, - e.g., CFOs, financial managers, budget owners, - are responsible for deciding how to invest money in ways that are consistent with compliance and cybersecurity.
- Country stakeholders include actors other than those in national and local government, - such as intergovernmental and non-governmental organizations, private organizations, and individuals, - all of which interact in complex ways beyond regulations and agreements.
- International stakeholders include a variety of government, NGOs, and private organizations that strive to develop a realistic global regulatory compliance framework.
“It is important to note that stakeholders often have different, often conflicting, goals and priorities, depending on their perspective on compliance and the role they have,” said the authors. “Most of the issues derived from the analysis of the cases emerge when the interests of stakeholder categories are not appropriately balanced or harmonized.”
After analyzing the various issues that surfaced in each case study, Marotta and Madnick identified five key problems:
Poor compliance oversight and management. “The most common management issues faced by the organizations described in the cases involve dealing with multiple compliance regimes and coordinating with internal and external enforcers for reporting on compliance outputs. … There is a very delicate balance in the relationship between regulatory and industry needs. … This divergence stems from the lack of knowledge that is available to auditors as opposed to those who actually work on the systems.”
Difficulty in developing and implementing regulations. “Excessively complex and numerous regulations contribute to increased misalignments between regulatory and security goals. … Most of the participants reported a generally negative experience towards interpreting compliance requirements correctly. The most common examples included issues associated with fragmented or unclear regulatory information, outdated regulations, and overly technical language.”
Appropriate allocation of resources and budget. “Budgets and the resources necessary for compliance functions are profoundly intertwined in an organization … a significant compliance challenge organizations face is balancing budgets in the face of increasing compliance and cybersecurity costs. … The main problem lies in the fact that organizations fail to implement a comprehensive budgeting and risk assessment strategy.”
Lack of compliance culture. “Unclear organizational roles and responsibilities seem to play a significant role in all cases. … Aligning employees to compliance culture is in every organization's interest, but there may be difficulties in allocating responsibility to establish a culture that encourages the successful implementation of regulations. … The role of the board is critical to the long-term success of a compliance program.”
Geographical implications cause high systemic risk. “Regulations uniquely impact organizations and the global actors connected to their operations. … Although most regulations are managed locally, their scope and impact can be global.” It’s thus important to balance global requirements with local or organizational needs.
“After conducting the comparative analysis, one way to look at the complicated cybersecurity versus compliance dilemma is that compliance and cybersecurity are both ‘flawed,’ but for different reasons,” wrote the authors. “Cybersecurity and compliance have similar goals around securing data and assets by managing risk. Both deal with measures and controls to reduce risk. However, the cases suggest that compliance is primarily driven by enforcement risk, while cybersecurity is generally driven by business risk.”
Marotta finished her presentation with three concrete recommendations to help address these various issues and problems:
- Drive harmonization at both the organizational and international levels by establishing frameworks that map across multiple compliance requirements.
- Take a more realistic view of acceptable risks when analyzing exposures to legal penalties, business and financial issues, and cybersecurity.
- Align the interests of all the stakeholders around programs that don’t just strengthen cybersecurity but also integrate compliance and security into the organization’s culture.
Very nice summary of this crucial area. I especially like the focus on the concept that compliance does not necessarily mean “secure enough”. Far too often we see organizations pins their hopes, and budgets, on minimal compliance. We need that holistic, focused and iterative approach that targets the right areas and addresses the most important gaps… all while establishing a good cybersecurity culture throughout the organization.
Thanks,
Bill R
Posted by: Bill Rippon | October 22, 2021 at 09:52 AM