Article by Jonathan Sproule MBCS CISM CCSP CISSP
Why compliance is crucial to businesses and stakeholders
The world of compliance has often lagged behind the release and adoption of new technologies. Organisations around the world will always seek new ways to stay ahead of the competition and continue to grow to survive. It is a classic case of the tail wagging the dog, or from the ground up.
There can be several drivers for an information security program, which can include regulation, incidents, and reputation. Thankfully, whenever you are in an industry which is heavily regulated thankfully you have the hard work of justifying the program already done. This is the stick rather than the carrot of course, however, for long term success and buy-in, the carrot is more fruitful. An important point is that compliance does not necessarily equal security.
I’m sure many readers will understand the definition of compliance, however, to make sure we are on the same page here I think it’s important to cite the definition. This is an important point, because often in the information security world there can be a great deal of confusion and differences of opinion with certain terms e.g. the risk associated.
Definition of Compliance – the act of obeying an order, rule, or request
When I think about that definition there are some verbs and adjectives which stand out to me: obeying and rules. Organisations can often get caught up in tick box exercises, and that can happen when talking about compliance, or talking with senior stakeholders who are not traditionally from an information security background. I like the NIST Cybersecurity Framework (CSF), which has been widely adopted in our industry and for good reason; it is outcome driven rather than being a tick box approach and provides useful guidance in the form of information references. This helps to introduce simplicity into a complex environment of regulations and standards.
Complexity in the Compliance Ecosystem
Organisations can struggle with understanding and interpreting regulatory requirements. There can be complexity in this ecosystem with regulations and they can often have an impact on each other and even sometimes overlap requirements from other regulations. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both regulate the use, and protection of personal data, including individuals’ rights to access and control their personal information, as one example. There are some commonalities, but there are also some key differences. Whether you are considered in scope or out of scope of various regulations very much depends on where you and your customers are located.
There are of course, various reporting requirements from various regulations too, which increases complexity in the system.
The Impact of not Complying
The impacts of non-compliance can ultimately affect the organisations bottom line. This is something that our business stakeholders will understand in financial terms. When speaking about impacts to business stakeholders we should seek to translate our language into meaningful terms that they understand, and what impact means from a financial perspective.
To communicate the impacts of incidents to business stakeholders, Factor Analysis Information Risk (FAIR) provides a great model for understanding, analysing and quantifying information risk in financial terms. The impacts of incidents and breaches are far more than just being served fines by secondary stakeholders (regulatory bodies). There are other forms of loss that can be realised and should be communicated in your risk analysis:
Producivity loss
Losses that result from an organisation’s inability to deliver its products or services
Response loss
Losses that are associated with managing the event itself
Replacement loss
The costs associated with the replacement of a capital asset or a person
Fines and judgements
Penalties levied against an organisation through civil, criminal, or contractual actions, usually the result of a Confidentiality related scenario
Competitive advantage
Losses associated with a diminished competitiveadvantage
Reputational Damage
Losses associated with an external actor’sperception that the value proposition of your organisation has been diminished
Each regulation will have its own enforcement, fines, and penalties for non-compliance, as detailed in figure 1. The severity of the fines will depend on the nature, type of finding, and how it was discovered. Consider if the non-compliance was discovered as part of your audit program, then we could say with a high degree of certainty that this would likely be lower, compared to if it was discovered by an external threat actor in a breach scenario. It is important to note that these fines can vary depending on the specific case, the severity of the violation, and the discretion of the relevant authority, so it’s cost effective if you have an internal audit program. If you don’t have an audit program in place this could serve as a business case for just that, supported by objective data.
Speaking of objectivity – If we look at data relating to data breaches as part of our situational awareness, the global average cost of a data breach is now $4.35M. That’s a fairly sizeable number and would certainly affect the organisational bottom line in terms of profit.
The cost per stolen record is $164, which has increased slightly from $161 the previous year. To get good data of course, you need a large sample across horizontals so that we can increase our confidence in the data. It can of course, vary on the cost per stolen record, so you might want to represent that as a distribution instead of being precise.
A measurement is a reduction in uncertainty, and it can be helpful to review industry reports from incidents globally to help inform decisions and incorporate these into risk analysis.
Achieving, and maintaining compliance is crucial in todays interconnected world which is why it’s important to ensure you have a well resourced GRC function. Introduce simplicity in the system to combat the complexity by ensuring you have the resources required; you can’t change the external regulatory landscape, but you can change how easy or difficult it is to adhere to.