In recent years, the regulatory compliance landscape has grown increasingly complex. The passage and enactment of the European Union’s General Data Protection Regulation (GDPR) inspired the creation of several new data privacy laws in different countries and US states. Additionally, the US Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC) to improve the state of cybersecurity within the Defense Industrial Base.
Each of these new regulations mandates that organizations have certain cybersecurity controls, policies, and procedures in place to protect the sensitive data covered by the regulation. As a result, many organizations have adopted a compliance-focused cybersecurity strategy, implementing only what is required by law. However, such a piecemeal approach to cybersecurity is often unsustainable and does not guarantee protection against cyber threats.
Regulatory Compliance Does Not Guarantee Security
Many organizations boast about their regulatory compliance and the certifications that they have obtained. In fact, achieving and maintaining compliance with certain regulatory requirements is necessary for some organizations to do business and/or process certain types of protected information.
While regulatory compliance is a great place to start, it does not guarantee that the organization is protected against cyber threats. Every retailer that has suffered a breach of payment card information was certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). However, in post-breach investigations, a common theme of security and compliance issues was discovered.
This gap between compliance and security exists for several reasons. During a compliance audit, an assessor may have overlooked an issue. Or, as in the case of 63.3% of PCI DSS “compliant” organizations, the company may have been compliant at the time the audit was performed, but has let their security lapse between assessments. Alternatively, the organization could have been breached simply because the security controls required for compliance were not enough to protect the organization against real-world cyber threats.
Compliance Should Be the Floor, Not the Ceiling
The security requirements that are outlined in regulations are a good starting point when developing a cybersecurity strategy. Failure to put these security controls, policies, and procedures in place results in a cybersecurity plan that is inadequate to protect sensitive data and may result in lawsuits and regulatory penalties.
However, the fact that a single regulation requires certain security controls to be in place does not mean that these controls will thoroughly provide a reasonable level of protection against cyber threats. In fact, the security controls required by law are likely to be inadequate for several different reasons:
- Regulations are infrequently updated. The process of updating data protection laws can be complex, and an updated version can be years in the making. This means that the current version of a regulation likely does not address next-generation technology (such as 5G or the blockchain) or the latest cyber threats.
- Regulations are “one size fits all.” Data protection laws are designed to apply to every organization within their jurisdiction even though these organizations each have a unique network environment and business processes. This makes it impossible to lay out a set of required security controls that perfectly meets an organization’s security use cases.
- Regulations are designed to be a set of minimum standards. Regulatory authorities lay out a set of minimum standards as a basis for penalizing organizations that are criminally negligent in their protection of personal data. These standards are not designed to be a complete security policy or to protect against all cyber threats.
When designing a cybersecurity strategy, regulatory compliance requirements should be the floor, not the ceiling. While a failure to do anything more than the minimum requirements may not result in regulatory penalties, a data breach or other cybersecurity incident that capitalizes on an organization’s inadequate cybersecurity can still cause significant financial and reputational damage to an organization.
How MorganFranklin Can Help
The required cybersecurity controls, policies, and procedures mandated by regulations are important to include in an organization’s cybersecurity strategy. However, a cybersecurity strategy that is cobbled together from required controls is difficult to maintain and does not provide adequate protection against cyber threats.
MorganFranklin advisors can help to develop and implement a cybersecurity strategy that is tailored to an organization’s unique situation, mitigates cybersecurity risk, and complies with any applicable data protection regulations. They can assist with everything from the initial planning stage through solution selection to deployment, configuration, and long-term monitoring and maintenance.