So there I was the other day, talking to one of the many tech vendors in this field, when our conversation turned to a perpetually puzzling question: Why is the relationship between compliance and cybersecurity so difficult to get right?
After all, my acquaintance and I lamented, cybersecurity has been one of the top corporate priorities for years — but despite all that talk about cybersecurity, and the spending that goes into it, corporations still haven’t tamed the risk. If anything, cybersecurity threats are getting worse.
Why is that? What’s the stumbling block here?
My friend the vendor’s thesis was this: that for too long, regulatory compliance obligations around security and data privacy have eclipsed the business imperative to get cybersecurity right. He may be onto something.
For example, we all know broadly that cybersecurity is a threat to the organization — but if we tried to list all the specific ways that cybersecurity might threaten the organization, and the remediation steps your organization should take in response, we couldn’t. That list would be miles long.
On the other hand, we can worry about specific regulatory compliance issues related to privacy and cybersecurity. It’s easy to understand the regulatory enforcement risks that stem from a data breach, and it’s easy to understand the steps you should take to avoid that compliance risk.
That is, if you want to achieve PCI DSS or HIPAA or GDPR compliance, you have ample roadmaps to do that. You can adopt the necessary written policies, conduct the training, encrypt the data at rest, implement the firewalls, and so forth. You can tell your board, “We did our due diligence to achieve compliance with the relevant statutes and regs” — and you’d be right.
And then, six months later, you’d get breached anyway. You achieved regulatory compliance, but you didn’t tame the operational threat.
My friend the vendor had a succinct analysis for all this. “It’s easier to solve for compliance than to solve for cybersecurity, because you know when the next audit is coming. Cybersecurity is a game of whack-a-mole,” he says. “So we solve for compliance, not cyber.”
Is the Cybersecurity Calculus Changing?
My question is whether we’re now at an inflection point with cybersecurity, where the equation my friend laid out gets flipped on its ear.
What’s happened is the rise of ransomware attacks. That has clarified to the executive mind that poor cybersecurity can lead to real operational disruption, which is something management and the board can’t ignore.
Look at what happened to Colonial Pipelines. Look at what happened to JBS. Look at what happened to any other number of hospitals, government agencies, or corporations. Those attacks have demonstrated that cybersecurity isn’t just a regulatory compliance issue, that you can dismiss as a cost of doing business. Cybersecurity is also an operational issue that affects your ability to do business.
Yes, cybersecurity has always been a blend of those two things. But is that balance now shifting toward the operational threat?
If we want to understand this fully, look to the rise of bitcoin and other cryptocurrency.
Bitcoin created a means of monetary exchange for ransomware, which didn’t exist before. It allowed hackers to employ easier, more lucrative methods of attack — and so they did. That’s what today’s headlines are all about.
For example, 10 years ago the low-hanging fruit for attackers was consumers’ personal data. You could copy it from corporate archives and then sell it on the dark web somewhere, but you still had to sell it. Converting the stolen asset into cash was always the last step.
Bitcoin eliminates the conversion problem for attackers. Which means they no longer need to steal an asset that requires conversion. The more valuable asset is the company’s ability to operate — so that’s what you steal, via a ransomware attack.
Nobody could do that until now because (a) corporate operations weren’t so heavily dependent on IT; and (b) you couldn’t easily launder the ransom proceeds into usable cash. Both of those restraints no longer hold, so ransomware has soared as a cybersecurity threat.
Now let’s go back to my friend the vendor’s quip: “It’s easier to solve for compliance than to solve for cybersecurity.”
That may be true, but in our newly emerging world, it’s more urgent to solve for cybersecurity than compliance — because, really, what senior executive will care that the business is GDPR-compliant, if the company can’t get gas into the pipeline or meat off the loading dock?
What Comes Next
That still leaves us with the question of how compliance, security teams, and other risk assurance functions should work together to combat such a pernicious threat.
The challenge for the organization will be how to embed good cybersecurity practices across the whole enterprise, when you don’t have a static, fixed risk to manage. Instead, you have one that shifts and evolves constantly. That’s far more complicated than the risk of non-compliance with a specific regulation.
Clearly the compliance team can be part of the response, because so many of the necessary measures are things that compliance does well: developing policies, testing internal controls, assuring that training of employees and third-parties takes place, and so forth.
What we’ll need, however, is a much more collaborative, “whole company” approach to addressing cybersecurity. IT teams will develop and implement the technical tools. Internal audit will explore the risks and test existing controls. Compliance (perhaps in conjunction with HR) will help the IT security team to roll out policies, procedures, training, and other steps across the extended enterprise.
That’s not going to be easy. Boardroom and senior executive support will be crucial to mobilize so many resources, and to maintain that focus quarter after quarter. That’s hard enough to do for specific regulatory risks, let alone an amorphous operational risk like cybersecurity.
Then again, if cybersecurity really is at an inflection point, maybe this effort will finally get the attention it deserves.