For too long, companies have mistakenly separated privacy and security regulation. This has led to numerous security gaps that cybercriminals have exploited and ransomware attacks, like the SolarWinds or Colonial Pipeline attacks, which have shut down critical infrastructure industries and risked the security of millions. By integrating security and privacy management, organizations can gain a holistic understanding of their cybersecurity posture.
With the adoption and implementation of a risk management framework, organizations can stand a chance at improving their security and privacy in the digital age
But how do we get there? What approaches do we need to leave behind? What are the consequences of paying a ransom? Considering the company, state, and federal regulations, how can organizations stay on top of compliance management? Implementing a sector-wide holistic risk management framework will not occur overnight, but there are signs of a slow transition toward this. In the STRONGER Conference Keynote Event, Aligning Security & Privacy Using the NIST Risk Management Framework, Dominique Shelton Leipzig and Padraic O’Reilly shared their insights on the effectiveness of an integrated risk management approach that aligns security and privacy.
Ineffective Risk Solutions
Endpoint solutions have been utilized to tackle specific problems but have a limited scope. These single-use solutions can lock security leaders into a single approach, and when you’re too focused on one aspect, you are bound to expose security gaps elsewhere.
Cybercriminals have an increasingly large bank of resources and networks to operate with. Paying the demanded ransom only gives cybercriminals a greater advantage. Especially when there is no guarantee the confiscated data will even be returned. The government and private companies can both agree that funneling crypto to criminals cannot be a long-term strategy.
While there have been talks to tack on penalties and fines for companies that pay out ransoms, there is no appetite on the federal side to penalize companies. “Instead, they’re going to use the levers they have and go after the exchanges, which will target the middlemen between the affected and the actual criminal,” explained O’Reilly. “There will be a slow transition into private regulation while gently encouraging them not to pay the ransoms. But you won’t see anyone get in trouble soon for paying the ransom because it’s a Hobson’s choice.”
Similar to the limited scope of endpoint solutions, a government-mandated compliance approach is not enough to sustain a long-term risk strategy. When you pursue a pure compliance approach, you run the risk of organizations doing the bare minimum to comply with standards.
Even with government-mandated compliance, this only applies to federal contractors. Private companies are left unchecked, which can put critical infrastructure sectors at risk. A sector like the commercial facilities industry, which is largely privately owned, has no incentive or mandate to rethink its risk strategy unless they are a federal contractor.
“I think you’re going to see a little more motion, at least from the regulatory side, to meet standard requirements for companies that are selling products that are part of critical infrastructure sectors,” said O’Reilly. “There needs to be some concerted effort within the commercial sector between public and private networks because it will not be solved without collaboration.”
Cyberattacks do not occur in a vacuum, the effects can spread down a supply chain which is why each organization needs to be proactive in its privacy and security management.
State Privacy Laws Will Impact the Risk and Regulatory Landscape
California has taken one of the most controversial approaches to protect consumer data and allows companies to level up their privacy practices. The California Consumer Privacy Act (CCPA) applies to any business that collects data from California residents — regardless of where the business is headquartered.
“Every cookie violation on a website can constitute a fine of up to $7,500 per violation per California resident,” explained Shelton Leipzig. “There was a situation in which a company had 100 cookies for which they did not have a service provider exemption or sales exemption, which turned into $750,000 per Californian per day. So you can see how this can turn into a nine-figure expense.”
Along with violation fines, the CCPA also includes a statute that allows for a private right of action for data breaches and encourages proactively scanning websites for violations. The CCPA is unlike any approach before, forcing C-suite leaders to be aware and involved with overseeing security. Consumers have the ability to directly call out cookie violations with pre-populated notices addressed to the CEO.
Taking inspiration from the CCPA, the Federal Trade Commission (FTC) has received one billion dollars in funding to build enforcement capabilities and re-evaluate the involvement of C-suite leaders and the board. This year, Colorado and Virginia passed consumer data privacy acts, and seven other states are considering bills of the exact nature, including New York.
There is a clear demand for federal and state privacy and data security laws. Commercial enterprises could lose out to global competitors like Japan and Israel. Major organizations will continue to be considered inadequate for data transfers if the US cannot provide data security on the General Data Protection Regulation (GDPR) level.
“This is a very tenuous time for privacy but what I will say for corporations is that organization is key,” said Shelton Leipzig. “You need to know where your data is, have a program systematized, and access to tools that companies are going to need to get their arms around global compliance.”
Risk Management Frameworks are the Solution
If companies continue with a siloed approach, there is a wealth of information they miss out on and will not gain true visibility into their risk exposure. The only way to integrate security and privacy while attaining real-time insights into a company’s posture is with a risk management approach.
The National Institute of Standards and Technology (NIST) has added measures to protect the privacy of individuals and their data to its risk management framework. Leading companies are now looking to understand their risk exposure concerning privacy and security. With potential penalties impacting organizations, the exposure can be communicated in dollars which is something C-suite executives and the board understands.
To support a well-integrated risk management framework, there are six steps recommended by NIST that will advance security and privacy controls. The first is identifying and categorizing your organizational systems, including information types, assets, and operational roles and responsibilities. Next, security leaders need to select the necessary security controls. Third, the organization must enact selected security controls to measure and benchmark the posture. The controls must be assessed in the fourth phase to produce the desired outcome. The fifth phase involves determining if permitted risks are acceptable and tracking failed controls. In the last phase, organizations will have to continuously automate the monitoring and maintain the security posture to remain compliant as new ordinances are released.
As organizations grow bigger and bigger, there can be a breakdown of communication that leaves risk exposures unexplained
“You have to speak in a language that these executives understand because otherwise, the existing gaps will not be remediated,” said O’Reilly. With an automated risk management program, information can be distilled almost weekly so that leaders can gain real-time visibility on your risk profile.
“The dollars and cents are adjusting as the exposures adjust, and the program's adjusting as you wire it up to understand what you're doing across the organization,” stated O’Reilly. “So that, to me, is the future.”
Considerations for the Future
There are several steps and solutions for companies to consider to ensure they will be in a better position. It starts with integrating security, privacy, and clear communication of risk exposures to the Board.
“This involves a whole reimagining of how the board engages around data. It involves understanding and aligning the data practices with the mission, as well as the strategic plan of the company,” said Shelton Leipzig. “In other words, looking at where the company is and where they want to go in the next three to five years and what data will they need to get there.”
The corporation can be completely exposed without considering the data collected by security leaders. Companies need to be intentional, transparent, and safe with data. It needs to be treated as a core asset of the brand.