For too long, companies have made the mistake of separating privacy and security regulations. This has led to numerous security holes that cybercriminals have exploited and ransomware attacks, like the SolarWinds or Colonial Pipeline attacks, which have shut down critical infrastructure industries and put the security of millions of people at risk. By integrating security and privacy management, organizations can gain a holistic understanding of their cybersecurity posture.
With the adoption and implementation of a risk management framework, organizations may have a chance to improve their security and privacy in the digital age.
But how do you get there? What are the approaches that we must abandon and the obstacles that we must overcome? What are the consequences of paying a ransom? With corporate, state, and federal regulations at stake, how can organizations stay on top of compliance management? Implementing a holistic industry-wide risk management framework will not happen overnight, but there are signs of a slow transition towards it. During the main event of the STRONGER conference, Align security and privacy using the NIST risk management framework, Dominique Shelton Leipzig and Padraic O’Reilly shared their views on the effectiveness of an integrated risk management approach that harmonizes security and confidentiality.
Ineffective risk solutions
Terminal solutions have been used to solve specific problems but have a very limited scope. Endpoint solutions run the risk of not being properly socialized across the organization and the derived data is not communicated effectively to the board. These single-use solutions can lock security leaders into a single approach, and when you focus too much on one aspect, you risk exposing security vulnerabilities elsewhere.
Cybercriminals have a growing bank of resources and networks to operate. Paying the demanded ransom only gives cybercriminals a greater advantage. Especially when there is no guarantee that the confiscated data will even be returned. Both government and private companies can agree that funneling crypto to criminals cannot be a long-term strategy.
While there have been discussions about sanctions and fines for companies that pay ransoms, there is no desire on the federal side to penalize companies. âInstead, they’re going to use whatever levers they have and go after the exchanges, which will target the middlemen between the criminal involved and the actual criminal,â O’Reilly explained. âThere will be a slow transition to private regulation while gently encouraging them not to pay the ransoms. But you won’t see anyone in short-term trouble for paying the ransom because it’s Hobson’s choice.
Like the limited reach of endpoint solutions, a government-mandated compliance approach is not sufficient to support a long-term risk strategy. When you pursue a pure compliance approach, you run the risk that organizations will do the bare minimum to comply with standards.
Even with the compliance required by the government, this only applies to federal contractors. Private companies go unchecked, which can endanger critical infrastructure sectors. A sector like the commercial facilities industry, which is largely privately owned, has no incentive or mandate to rethink its risk strategy unless it is a federal contractor.
âI think you’re going to see a bit more movement, at least on the regulatory side, to meet the standard requirements of companies that sell products in critical infrastructure sectors,â O’Reilly said. âThere must be concerted efforts within the commercial sector between public and private networks as this will not be resolved without collaboration. “
Cyber ââattacks don’t happen in a vacuum, the effects can spread along a supply chain, which is why every organization needs to be proactive in its privacy and security management.
National privacy laws will impact the risk and regulatory landscape
California has taken one of the most controversial approaches to protecting consumer data and is giving businesses the opportunity to improve their privacy practices. The California Consumer Privacy Act (CCPA) applies to any business that collects data from California residents, regardless of where the company is headquartered.
âEach cookie violation on a website can be fined up to $ 7,500 per violation per California resident,â explained Shelton Leipzig. âThere was a situation where a business had 100 cookies that they did not have a service provider exemption or a sales exemption for and that turned into $ 750,000 per Californian per day. So you can see how that can turn into a nine-figure expense. ”
In addition to fines for violation, the CCPA also includes a law that allows a private right of action in the event of a data breach and encourages proactive analysis of websites for violations. CCPA is unlike any approach before and it requires C suite leaders to be aware of and involved in safety oversight. Consumers have the option of directly calling cookie breaches with pre-populated notices to the CEO.
Inspired by the CCPA, the Federal Trade Commission (FTC) received $ 1 billion in funding to build enforcement capacity and reassess leadership and board participation. This year alone, Colorado and Virginia passed consumer data protection laws and seven other states are considering similar bills, including New York.
There is a clear demand for federal and state data privacy and security laws. Business firms could lose to global competitors, such as those from Japan and Israel. Large organizations will continue to be considered inadequate for data transfers if the United States cannot ensure data security at the level of the General Data Protection Regulation (GDPR).
âIt’s a very tenuous time for privacy, but what I will say for business is organization is key,â Shelton Leipzig said. âYou need to know where your data is, have a systematic program, and access the tools businesses will need to master global compliance. “
Risk management frameworks are the solution
If companies continue with a siled approach, they are missing a wealth of information and will not get real visibility into their risk exposure. The only way to integrate security and privacy while gaining real-time insight into a company’s posture is to take a risk management approach.
The National Institute of Standards and Technology (NIST) has added measurements to protect the privacy of individuals and their data to its risk management framework. Large organizations are now looking to understand their exposure to privacy and security risks. With potential penalties affecting organizations, exposure can be communicated in dollars, which senior executives and the board understand.
To support a well-integrated risk management framework, there are six steps recommended by NIST which will advance security and privacy controls. The first is to identify and categorize your organizational systems, including types of information, assets, and operational roles and responsibilities. Next, security officials should select the necessary security controls. Third, the organization will need to put in place selected security controls to measure and compare posture. In the fourth phase, the controls will need to be evaluated to produce the desired result. The fifth phase is to determine if the permitted risks are acceptable and to monitor the failing controls. In the final phase, organizations will need to continuously automate monitoring and maintain security posture to remain compliant as new orders are issued.
As organizations grow larger and larger, there may be a communication breakdown that leaves risk exposures unexplained.
âYou have to speak in a language that these executives understand, because otherwise the existing gaps will not be filled,â O’Reilly said. With an automated risk management program, information can be distilled almost weekly so executives can have real-time visibility into your risk profile.
“The dollars and cents adjust as the exposures adjust, and the program adjusts as you plug it in to understand what you’re doing across the organization.” Said O’Reilly. âSo for me it’s the future. “
Considerations for the future
There are a number of steps and solutions that businesses should consider to ensure that they are in a better position in the future. It starts with the integration of security and privacy and clear communication of risk exposures to the board.
“It involves completely reinventing the way the board engages around data, it involves understanding and aligning data practices with the mission, as well as the company’s strategic plan,” Shelton Leipzig said âIn other words, look at where the the business is and where they want to go in the next three to five years and what data will they need to get there.
Regardless of the data collected by security officials, the business can be completely exposed. Businesses need to be intentional, transparent and secure with data. It should be treated as an essential asset of the brand.
For more information on privacy and security alignment, watch our main event. To find out how CyberSaint can be a compliance management tool for your organization, Contact us.