For too long, companies have made the mistake of separating privacy and security regulation. This has led to numerous security gaps that cybercriminals have exploited and ransomware attacks, like the SolarWinds or Colonial Pipeline attacks, which have shut down critical infrastructure industries and risked the security of millions. By integrating the management of security and privacy, organizations can gain a holistic understanding of their cybersecurity posture.
With the adoption and implementation of a risk management framework, organizations can stand a chance at improving their security and privacy in the digital age
But, how do we get there? What are the approaches we need to leave behind and hurdles we need to overcome? What are the consequences of paying a ransom? Considering the company, state, and federal regulations in play, how can organizations stay on top of compliance management? The implementation of a sector-wide holistic risk management framework will not occur overnight, but there are signs of a slow transition towards this. In the STRONGER Conference Keynote Event, Aligning Security & Privacy Using the NIST Risk Management Framework, Dominique Shelton Leipzig and Padraic O’Reilly shared their insights on the effectiveness of an integrated risk management approach that aligns security and privacy.
Ineffective Risk Solutions
Endpoint solutions have been utilized to tackle specific problems but have a very limited scope. Endpoint solutions run the risk of not getting socialized properly across the organization and the data derived is not communicated effectively to the Board. These single-use solutions can lock security leaders into a single approach and when you’re too focused on one aspect, you are bound to expose security gaps elsewhere.
Cybercriminals have an increasingly large bank of resources and networks to operate with. Paying the demanded ransom only gives cybercriminals a greater advantage. Especially when there is no guarantee the confiscated data will even be returned. The government and private companies can both agree that funneling crypto to criminals cannot be a long-term strategy.
While there have been talks to tack on penalties and fines for companies that pay out ransoms, there is no appetite on the federal side to penalize companies. “Instead, they’re going to use the levers they have and go after the exchanges, which will target the middlemen between the affected and the actual criminal,” explained O’Reilly. “There will be a slow transition into private regulation while gently encouraging them to not pay the ransoms. But you won’t see anyone get in trouble in the near term for paying the ransom because it’s a Hobson’s choice.”
Similar to the limited scope of endpoint solutions, a government-mandated compliance approach is not enough to sustain a long-term risk strategy. When you pursue a pure compliance approach, you run the risk of organizations doing the bare minimum to comply with standards.
Even with government-mandated compliance, this only applies to federal contractors. Private companies are left unchecked which can put critical infrastructure sectors at risk. A sector like the commercial facilities industry, which is largely privately owned, has no incentive or mandate to rethink their risk strategy unless they are a federal contractor.
“I think you’re going to see a little more motion, at least from the regulatory side, to meet standard requirements for companies that are selling products that are part of critical infrastructure sectors,” said O’Reilly. “There needs to be some concerted effort within the commercial sector between public and private networks because it will not be solved without collaboration.”
Cyberattacks do not occur in a vacuum, the effects can spread down a supply chain which is why each organization needs to be proactive in its privacy and security management.
State Privacy Laws Will Impact the Risk and Regulatory Landscape
California has taken one of the most controversial approaches to protect consumer data and is giving companies the opportunity to level up their privacy practices. The California Consumer Privacy Act (CCPA) applies to any business that collects data from California residents — regardless of where the business is headquartered.
“Every cookie violation on a website can constitute a fine of up to $7,500 per violation per California resident,” explained Shelton Leipzig. “There was a situation in which a company had 100 cookies for which they did not have a service provider exemption or sales exemption and that turned into $750,000 per Californian per day. So you can see how this can turn into a nine-figure expense.”
Along with violation fines, the CCPA also includes a statute that allows for a private right of action for data breaches and encourages proactively scanning websites for violations. The CCPA is unlike any approach before and it forces C-suite leaders to be aware and involved with overseeing security. Consumers have the ability to directly call out cookie violations with pre-populated notices addressed to the CEO.
Taking inspiration from the CCPA, the Federal Trade Commission (FTC) has received one billion dollars in funding to build out enforcement capabilities and re-evaluate the involvement of C-suite leaders and the board. Just this year, Colorado and Virginia have passed consumer data privacy acts and seven other states are considering bills of the same nature, including New York.
There is a clear demand for federal and state privacy and data security laws. Commercial enterprises could lose out to global competitors, like those in Japan and Israel. Major organizations will continue to be considered inadequate for data transfers if the US cannot provide data security on the level of the General Data Protection Regulation (GDPR).
“This is a very tenuous time for privacy but what I will say for corporations is that organization is key,” said Shelton Leipzig. “You need to know where your data is, have a program systematized, and access to tools that companies are going to need to get their arms around global compliance.”
Risk Management Frameworks are the Solution
If companies continue with a siloed approach, there is a wealth of information they are missing out on and will not gain true visibility into their risk exposure. The only way to integrate security and privacy while attaining real-time insights on a company’s posture is with a risk management approach.
The National Institute of Standards and Technology (NIST) has added measures to protect the privacy of individuals and their data to its risk management framework. Leading companies are now looking to understand their risk exposure with respect to privacy and security. With potential penalties impacting organizations, the exposure can be communicated in dollars which is something C-suite executives and the board understands.
To support a well-integrated risk management framework, there are six steps recommended by NIST that will advance security and privacy controls. The first is to identify and categorize your organizational systems, including information types, assets, and operational roles and responsibilities. Next, security leaders need to select the necessary security controls. Third, the organization will need to enact selected security controls to measure and benchmark the posture. In the fourth phase, the controls will need to be assessed for producing the desired outcome. The fifth phase involves determining if permitted risks are acceptable and track failed controls. In the last phase, organizations will have to continuously automate the monitoring and maintain the security posture to remain compliant as new ordinances are released.
As organizations grow bigger and bigger, there can be a breakdown of communication that leaves risk exposures unexplained
“You have to speak in a language that these executives understand because otherwise, the gaps that exist are not going to be remediated,” said O’Reilly. With an automated risk management program, information can be distilled on almost a weekly basis so that leaders can gain real-time visibility on your risk profile.
“The dollars and cents are adjusting as the exposures adjust, and the program's adjusting as you wire it up to understand what you're doing across the organization,” stated O’Reilly. “So that to me is the future.”
Considerations for the Future
There are a number of steps and solutions for companies to consider to ensure that they will be in a better position in the future. It starts with the integration of security and privacy and clear communication of risk exposures to the Board.
“This involves a whole reimagining of how the board engages around data, it involves understanding and aligning the data practices with the mission, and as well as the strategic plan of the company,” said Shelton Leipzig “In other words, looking at where the company is and where they want to go in the next three to five years and what data will they need to get there.”
Without considering the data collected by security leaders, the corporation can be completely exposed. Companies need to be intentional, transparent, and safe with data. It needs to be treated as a core asset of the brand.