One of the biggest cybersecurity challenges that organizations face is one that has been dogging them for decades – compliance. What is interesting about the impact of technology is that there are two fundamental reasons why compliance becomes more difficult.
The Same Problem Exists, but is More Complex
Technology is a double-edged sword when it comes to cybersecurity. For example, we have all benefited from the enhancement and adoption of cloud services, especially given the impact of the pandemic. Many of us had our daily work routine turned upside down which in turn accelerated the adoption of cloud services and work-from-anywhere solutions. However, what we have seen from an organizational perspective is that the expanded use of the cloud has resulted in, for many enterprises, a degraded awareness of what services and assets are being actively used, and by extension, needing security controls and services.
Think about it – one of the core tenants of all security frameworks and compliance standards is that one has an accurate understanding of what is in an organization’s environment. This definition of environment, ten to fifteen years ago, was largely restricted to what was behind a corporate firewall. Nowadays, this delineation is all but non-existent. For those with an ITSM (IT Service Management) solution in place, is this functioning as your enterprise ITAM (IT Asset Management)? If so, are you ingesting not only the virtual workstations, servers and containers in your multiple cloud environments but information about the cloud providers themselves? What about all the 3rd and 4th party cloud vendors needed for your enterprise services? Chances are pretty good when you go beyond your internal network that your awareness of what’s in play gets a bit fuzzier.
This awareness is the cornerstone of many compliance requirements; examples include but are not limited to the Center for internet Security, NIST, GDPR and so on. Even if there is a compliance standard out there that does not explicitly call out the need for an accurate ITAM, which I am unaware of but is possible, every cybersecurity compliance requirement out there puts parameters in place that require an understanding of assets in an environment. How can one be expected to implement effective data security controls if you don’t know what assets exist in the first place to apply said controls? Knowing what one has is the foundation for any compliance standard.
Even if SOX, HIPAA, CJIS or some other compliance requirement isn’t your priority, getting your arounds around cloud services and assets is just good cyber hygiene and fundamental to any security program. How can you effectively assess cyber risk at an enterprise level if you don’t know what is in the enterprise? Anything you do or suggest is built upon, at best case, an incomplete assumption of reality or worse, completely wrong.
New Technology Equals New Compliance Challenges
While it is reasonable to posit that a majority of the challenges around cybersecurity compliance are the same from say ten years ago, there are new concerns and challenges as a result of newer technology. A good example of this is IoT.
Technically IoT technology has been around for decades, in particular in SCADA and other industrial applications. However, it hasn’t been until the last decade that we’ve seen an explosion of adoption in the enterprise, but especially in the consumer markets.However, the biggest issue with respect to IoT is that this technology has and continues to be compromised by multiple cyber threats. Many of the DDOS attacks that organizations experience are caused by tens, if not hundreds of thousands of compromised IoT devices, which are in turn used to DDOS enterprises of all sizes.
This has not gone unnoticed by the federal government. On May 12, 2021, the White House issued an executive order that, among other things, puts forth requirements around IoT devices and deployments. While this executive order only directly impacts executive federal departments, it does demonstrate the fact that as new technology emerges that compliance will eventually follow behind. The EU introduced a cybersecurity standard for consumer based IoT products in June 2020. Among the thirteen different provisions includes the concept of no universal default passwords.
New compliance requirements aren’t enacted at just the national and industry level. SB-327 in California, which went into effect on January 1st, 2020 specifically calls out the IoT market. Any manufacturer of a device that either directly or indirectly connected to the internet must enable ‘reasonable’ security controls to prevent unauthorized access, modification, or data exposure.
What Does This Mean for the Future of Cybersecurity Compliance
The good news is that the purpose behind cyber compliance will remain the same –to establish guidelines and prerequisites for people and organizations to follow to ensure what the compliance requirement is focused upon is protected. Protection can extend to the validity, confidentiality, and accessibility of data.
Compliance standards will evolve and change over time – some may be deprecated, and some created in response to the ebb and flow of old and new technology. What we need to remember is that compliance doesn’t necessarily equal effective cyber security, but very frequently will set us on a path that will.