In the coming months, data protection laws will continue to evolve and strengthen, requiring organizations to refine their data protection policies further and take demonstrable steps to safeguard the privacy of individual customers’ information. As part of the changing policy mandates, cybersecurity frameworks will also expand how companies keep customer data under a figurative lock and key.
Understanding the ongoing changes to data privacy regulations is challenging enough for CISOs and their teams. Having to implement the needed changes as they occur to remain compliant only adds complexity and confusion. This article explores a few of the expected changes to various data privacy regulations and describes specific steps companies can take to streamline their compliance efforts.
Let’s start with the Cybersecurity Maturity Model Certification (CMMC) program. This year, the U.S. Department of Defense is expected to enhance its national cybersecurity standard for all contractors working with the federal supply chain and handling controlled unclassified information (CUI), which will mandate CMMC requirements. While this mandate only applies to federal contractors and does not directly impact many enterprises, the ruling will no doubt wash over to other organizations that may conduct indirect business with the U.S. federal supply chain as well as those in the private market, requiring them to meet changing data protection laws that are front and center to businesses’ daily operations.
Additionally, the California Consumer Privacy Act (CCPA), arguably one of the most stringent consumer privacy laws in the US, will soon introduce enhanced rights for individuals who wish to change their personal data or opt out of marketing and third-party communications – an important consideration given the many recent third-party data breaches. Businesses must therefore put more rigorous policies and processes in place to protect their systems and the critical data stored on them and also ensure those processes are well-understood and enforced across the organization. As companies strengthen their efforts, evolving data usage and individual privacy rights analysis will drive further changes to global and national mandates regarding the implementation of security controls and how businesses prove they are protecting individual data.
Put simply, prescriptive cyber regulations around data protection can be an asset to businesses. They help strengthen their brand reputation, given their ability to better protect user data and keep the company safe from threats and attacks. Unfortunately, because increasing regulation further stresses already constrained security, risk, and IT resources and steepens the learning curve, the negative aspects of these changes can often overshadow the benefits they offer businesses and their customers.
Proactive vs. reactive measures: which approach is more effective?
As the frameworks accompanying cybersecurity mandates and compliance guidelines are also refined, many now encourage (and sometimes mandate) that businesses transition to a proactive, risk-based approach – one that establishes their liability based on the type of data they’re collecting and how it’s used. At the same time, many data-centric cybersecurity frameworks are pushing the industry towards full proactive prioritization and risk ranking gap analysis to enable an accurate measure of system risk while reducing the resources and time required for compliance. This collision of data privacy concerns and the associated regulations with cybersecurity frameworks is overwhelming for companies trying to strengthen their security and compliance posture.
I believe that proactive risk prioritization based on comprehensive, contextual, and historical threat intelligence coupled with active control over the enterprise will help to alleviate many of the compliance headaches CISOs are facing. To achieve this, I recommend that CISOs and their teams take the following steps.
Tips:
- Understand how your enterprise is using data. With the growing volume of data that companies collect, there is a greater need for asset-aligned contextual cyber intelligence that reveals what data is needed for day-to-day operations and how that data is used. Technology solutions are available that facilitate this understanding, but gaining an accurate understanding requires an audit approach. CISOs and other leaders must look at and define the company’s BAU (business as usual) processes to understand what data is needed for standard day-to-day operations. This exercise is certainly a time investment, but it doesn’t have to be overly complicated. By doing this, companies can set a solid policy around what and how they use certain types of data. This is also an area where data security-centric cybersecurity frameworks can be useful. NIST (National Institute of Standards and Technology) and PCI DSS (Payment Card Industry Data Security Standard), for example, offer frameworks for accomplishing this process.
- Conduct a thorough risk assessment. Many organizations fall short in this area. A full-scale cybersecurity risk assessment weighs risks both within the organization and across the supply chain against the effectiveness of core security controls that should be in place to protect data. This step is critical given the high-profile software supply chain vulnerabilities in recent years. Incidents like the notorious SolarWinds breach, and many others like it, provide evidence of the importance of paying close attention to third-party risks to secure an organization’s systems, networks, and data.
- Quantify cyber risks. Typical enterprise risk assessments prioritize risks with generic “high,” “medium,” or “low” ratings, pointing to the likelihood of that risk culminating in an attack and the resulting impact. However, more is needed to quantify a company’s risk accurately. For example, where does the company have a presence online? What is its “digital footprint”? How widespread are its vulnerabilities, and what assets are they located or related to? How likely are attackers to find and exploit each of them? Also, how resilient is the organization in carrying on business as usual if an attack occurs? How much would an attack cost the enterprise?
Cyber risk quantification is still a nascent field and may seem intimidating. But a quality threat intelligence solution can help. The right intelligence identifies and enriches the measurement of an enterprise’s vulnerabilities and helps entities safely prioritize and rank which gaps to address. Such threat intelligence can help security teams understand which business sectors are more at risk and which are less so (and where their organization stands) and whether cybercriminals are targeting a particular business or software, including their own. Any area of a business or its suppliers can be a target, such as a retailer’s point-of-sale systems. Threat intelligence can reveal hundreds of posts on dark-web forums about plans to target these critical systems, for example, and alert the retailer to tighten security and prevent attackers from gaining access to business systems or customer data well before an active attack has begun.
- Define a measurable and consumable security awareness policy. Measuring the effectiveness of a security awareness program requires knowing if employees, business partners, third-party suppliers, and others fully understand the company’s security policies and guidelines and how to follow them. Keeping track of cyber events and incidents and how they are handled can reveal how well the company communicates, trains, and enforces these policies to people who represent the front line and the greatest vulnerability to any company. Additionally, a robust security awareness policy requires the cooperation of the organization and its vendors, which should be clearly articulated as part of any formalized agreement.
As the amount of data consumed and processed by companies continues to grow and malicious actors find more sophisticated ways to access that data, the tightening of data privacy regulations makes perfect sense. Yet the added burden of continually meeting ever-changing compliance requirements can seem near impossible to over-stretched teams. By following the above steps, even in a small way, and putting proactive intelligence and analysis in place, companies and their employees, partners, and customers all come out ahead – which is ultimately good for business and good for society as a whole.
