The acceleration of digital transformation initiatives has rendered traditional security architectures, tools and techniques ineffective against the modern adversary. New privacy regulations are forcing organizations to review their data collection and management processes to minimize the data they manage. They also tend to impose stricter data-sharing requirements as well. This piece explains how cybersecurity laws and regulations especially in privacy are evolving to reflect this new reality.
Traditional Cybersecurity Structures vs. Today's Critical Data Assets
Most of the cybersecurity paradigms and regulatory structures that exist were designed for a time when we could collect our digital assets, put them in one place and tightly control access through a combination of physical controls (such as walls, guards and fences) and technical controls (for example, firewalls and VPNs). This is often referred to as a castle-and-moat strategy. It presumes bad actors are outside the walls, and anybody on the inside is a good actor.
However, castle-and-moat security architectures do not reflect the way we work and live today. It is generally agreed that more critical data, more applications and more knowledgeable workers exist outside of the enterprise than inside the walls.
The current regulatory surge is a direct result of this shift. The shift began in 2003 when the Jericho Forum was formed. The adoption of digital strategies, especially cloud, accelerated between five and 10 years, based on sector, because of the pandemic. The pandemic also amplified awareness of the depth and interdependencies of supply chains.
We are living through the greatest wave of regulatory changes since the 1930s—all designed to reflect the modern world.
Cybersecurity Regulatory Trends Reflect the New Reality
Cybersecurity regulation comes from four sources:
- Federal government (e.g., Computer Fraud and Abuse Act)
- Sectoral organizations (e.g., SEC Cybersecurity Rule)
- State governments (e.g., NYDFS)
- International organizations (e.g., Network and Information Security Directive 2)
Regardless of the source, regulatory trends across industries and sectors consistently reflect the that technical defenses are no longer sufficient: According to the 2022 Verizon Data Breach Investigations Report, “[A]t east two-thirds of cyberattacks are now focused on impersonating trusted users and systems to access vital data or critical systems.” All these updated data-handling requirements may seem daunting for an organization. Business leadership may view privacy programs as costly efforts with little return, but the changing regulatory environment makes a focus on privacy more imperative now than ever.
Current Privacy Regulation Trends
Many practices from the privacy domain, especially when it comes to data governance, are beneficial to cybersecurity. The most significant is the separation of the data owner and the data custodian. The data owner (or asset owner) is typically on the business side. The asset owner knows the value to the business, obligations to third parties and handling requirements. The asset custodian is typically in IT, charged with implementing controls, managing the asset day to day and reporting as needed. The collaboration of roles fosters alignment between the business, operations and security.
Regulators are looking at data governance practices and lessons learned for applicability to cybersecurity. The practice of only collecting data that is needed and keeping it only for as long as needed will most likely find its way into cybersecurity regulations.
Privacy is more straightforward than cybersecurity because the data elements are specified by law and often have a defined pattern, making them easier to find. For example, Social Security numbers always follow the same format (i.e., ###-##-####). Quite often data elements collected for business purposes are collected without knowing what insights they will provide in the future, making it harder to determine when they should be expunged.
Privacy is coming full circle. Privacy in the digital age has its roots in HIPAA. The role of HIPAA was to provide for the safety and security of information so market forces would increase quality at lower cost. Prior to HIPAA, information was locked into pools with patients effectively held hostage. The industry is circling back to that philosophy of privacy to foster information sharing in the form of digital trust.
The return of privacy to foster commerce is further evidenced in the Schrems II decision. Schrems II determined personal data had limited protection due to domestic law in the U.S., as well as the accessibility by U.S. public authorities when transferred from the E.U. Schrems II put a $7.1 trillion economic relationship between the U.S. and the EU in jeopardy. In response, the EU and the U.S. negotiated the EU-U.S. Data Privacy Framework to replace the former EU-U.S. Privacy Shield Framework.
InfoSec and Privacy Regulatory Changes: How to be Prepared
We are living through the largest regulatory changes since the 1930s. To ensure your organization is prepared:
- Realize the intent is harmonization: Regulatory change is occurring at all levels of regulatory and legislative authority across all sectors. While it feels overwhelming, there is a concerted effort to ensure consistency and harmonize to reduce the burden placed on organizations.
- Understand we are all in this together: There is a deliberate effort to form a tighter cooperation between the public and private sectors.
- Establish a good foundation: Ensure all cybersecurity, privacy and compliance efforts are collaborative and foster a cyber-aware culture.
- Stay abreast of trends: The National Cybersecurity Strategy is the best source for overarching trends. Information-sharing organizations like Information Sharing and Analysis Centers are also excellent resources.
IANS Resources to Navigate Privacy Operations
There are 40+ Privacy bills either enacted or in progress in the US, and over 165 countries who have enacted Privacy laws. Is your security team prepared to comprehend and implement these regulations?
IANS Privacy Operations is a dedicated stream of research and advisory resources for CISOs and their teams to support the tactical assessment, policy creation and implementation of privacy initiatives. Create a productive and efficient process for handling privacy concerns and regulations with your internal privacy stakeholders. Learn more here.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.