Security professionals, legislators, and relevant industries have been calling for greater regulation for years as the business world continues to embark upon digital transformation. As technology continues to evolve, so do these compliance mandates—even some cities are grappling with facial recognition privacy bans.
These regulations are intended to help baseline security, protect privacy, and prevent breaches that have proven to be both costly and embarrassing. The inevitable side effects of breaches that impact personal data like Social Security numbers are irreversible.
But are we taking the right long-term approach to these regulations? I have seen a handful of rules that have made an immediate impact in an immature cyber world. The Federal Information Security Management Act (FISMA), the Payment Card Industry Data Security Standard (PCI), and the European Union’s General Data Protection Regulation (GDPR) are ones that come to mind.
When each of these regulations was first enacted, they each served a distinct purpose. Still, the regulatory landscape has unraveled, resulting in a domino effect security leaders didn’t expect.
It’s almost as if the effects of these requirements have spawned newer regulations that should cause us to take a step back and think before we draft any more. The California Consumer Privacy Act (CCPA) and the U.S. Department of Defense’s Cyber Maturity Model Certification (CMMC) are the most recent additions. Both of these regulations have the right intent; however, were they really necessary?
For instance, there are similarities between FISMA and the CMMC, seeing as the baseline of the regulations draw from the NIST framework. The steps security departments will need to take to comply with them will be so eerily similar that it creates confusion. A recent Inspector General report has even confirmed at the NSA is “lagging in all eight of the security areas” tied to FISMA.
Focusing on the payment card industry, Verizon's 2019 Payment Security Report found that compliance with PCI DSS “fell to 36.7 percent globally, down from 52.5 percent in 2018.” Are organizations struggling to comply, given the complexity tied to the increased use of technology in the enterprise, or are they getting bogged down in regulations? I'm all for securing my privacy rights with companies that have access to my data in California, but how different does the CPPA have to be from GDPR?
Let’s consider a small firm in California with users based in the United Kingdom. They have a government contracting business unit that conducts business with the DoD in the United States. They also process payment cards. The maze of regulations with many similarities is scary when you think of the cost this will add from a tools and process standpoint. Then there are also other global regulations coming from China and Russia, which would seem to trump all of these if a regulatory body wishes to enforce a specific penalty. But, when I look 10 to 20 years in the future, this is not the most significant concern.
By creating the regional and state enforcement of policies and guidelines, we lose the ability to see things from a global perspective, as well as potentially limit a company’s flexibility to save on costs in the global market.
Let’s revisit our previous example of the small California-based company. Imagine that by 2030, every state in America has a privacy protection act, all featuring slight variations. That’s 50 regulations the company has to deal with to conduct commerce within the United States. Keep in mind; they still need to comply with GDPR.
Given the uncertainty of BREXIT, let’s assume those 28 member states of the EU decide they need some slight variations from GDPR. Further, let’s assume in South America, each of the 12 independent countries decides that they will each enact separate privacy protection acts. We’ll assume Canada is good with the Personal Information Protection and Electronic Documents Act, and Mexico sticks with federal law on the protection of personal data held by private parties.
For this California-based company to conduct business in North America, Canada, Mexico, South America, and Europe in 2030, they may have to navigate 92 different slight variations on data privacy. Mind you, they’re still not operating globally at this point. We didn’t consider the other governments that will likely have a CPPA-esque regulation, and any other upcoming technology on which there will be calls for regulation, such as IoT and 5G technology. The internet is coming more and more regionalized and given that research indicates that “83% of enterprise workloads will be in the cloud by 2020,” cloud providers will need to be available in every region.
So what’s the solution? Individual countries, counties, and municipalities have had conflicting laws for centuries. But the big difference was that these were all impacted by geographical locations and boundaries. Except for specific underlying network protocols, the internet and its users were never really meant to see geographic boundaries. Data is data; it flows over pipes on the internet and gets to its destination. So before a new regulation, act, or compliance mandate is proposed, we should think about how many more are needed.
Perhaps, now is the time for one globally recognized cybersecurity regulatory body that all countries can participate in.
Each world power has the expertise that allows them to navigate these global issues while keeping regional equities at bay. They can answer the harder long-term questions.
Should everyone embrace GDPR as the global standard? That’s a valid question that’s yet to be answered. If that were to be the case, slight modifications could be made instead of complying with similar, yet different, costly mandates.
There are currently great examples of regulations that can be applied across industries, without having to draft new ones that create complexity. It’s vital to enable organizations to grow, but the domino effect currently taking place on the compliance mandate-front is prohibiting this. Let’s not forget that it’s also having a significant impact on the security posture for businesses.
Find out how Trustwave's deep experience in helping organizations manage complex environments can help your business meet multiple compliance requirements here.
Mark Whitehead is the Vice President of Security Testing at Trustwave SpiderLabs.