Meet the Role Players
Learning Objectives
After completing this unit, you’ll be able to:
- Identify key players in cybersecurity compliance and regulation.
- Describe the challenges that key players face in cybersecurity compliance and regulation.
Power to the Players
From game night to trivia with friends, everyone loves a good time. And what better way to have fun than to break out a video game or two? The more you play, the more likely you are to run into different types of characters, each with their own unique style.
Video games can reveal a lot about people.
- Are they motivated by winning?
- Do they just want to have a good time?
- Do they need to follow the rules or do they just like to go with the flow?
Much like the players you run into on game night, the players in cybersecurity compliance and regulation also have certain characters each with unique roles and responsibilities. Let's introduce you to the most influential players in the compliance world.
Role |
What They Care About |
---|---|
Lawmakers |
|
Organizations |
|
Third Parties |
|
Auditors |
|
Regulatory Authorities |
|
Industry Groups |
|
Customers |
|
The Growing Gap in Regulatory Compliance
Now that you have a better understanding of who these players are and what they care about most, let’s talk about the challenges they’re currently facing with regulatory compliance.
Cybersecurity Regulatory Compliance Is Complex
Regulating cybersecurity presents a particularly difficult task to lawmakers and regulators charged with oversight. What’s more, for organizations trying to comply in a multinational global environment, the management of cybersecurity takes on greater complexity in operations in countries with varying levels of cybersecurity sophistication and laws. Regulations create a diverse set of compliance environments that display some similarities, yet contain differences in focus and intent.
Due to different business sectors’ complex nature, compliance with federal, state, and local laws provides a monumental challenge. Since almost every sector depends heavily on information technology (IT), regulatory compliance becomes a critical cybersecurity component. However, over the years, regulations have often been broken and poorly enforced.
Compliance Doesn’t Equal Security
Over the past decade, cyberthreats have increased rapidly, accentuating the need to regulate cybersecurity practices and activities, and to impose penalties and sanctions for violating the regulations.
However, relying solely on compliance to achieve security protection doesn't necessarily enable an organization to cover all cybersecurity needs. That’s because compliance requirements often lag behind cybersecurity risk and technology, and are written broadly to apply to many organizations, while a security strategy needs to be tailored to the needs of a particular organization.
Laws and regulations can serve as a good starting point for establishing a company’s cybersecurity objectives, because compliance with these laws is an absolute necessity in any cybersecurity plan, but they shouldn’t be viewed as the ultimate end goal. Being compliant is like beating the game on normal difficulty, but good security is leveling up and beating the game on advanced mode.
More importantly, to prepare for changing compliance requirements, organizations need to create a security-first approach to cybersecurity so they can stay ahead of the evolving requirements. There is no 100% effective way to prevent all cybersecurity breaches, but cybersecurity must form part of the risk management process, as part of a long-term, strategic approach to cyber resilience.
Cyber resilience is an organization’s ability to continuously deliver solid results despite challenging cyber events. It is a holistic view of cyber risk that looks at culture, people and processes, and technology. It’s about being prepared, anticipating threats, determining the appetite for risk, and developing the response and recovery plan when something occurs.
At a minimum, organizations must maintain essential cyber hygiene. This includes regular, secure backups (essential to maintaining resilience and recovering quickly if attacked) and keeping software up to date to ensure security patches are in place. What’s more, security must be a core part of the product lifecycle. Appropriate incentives should ensure that future devices and networks have robust security embedded into the design from the start and that these aren’t added later in a “bolt on” fashion.
If you develop a security-minded culture in your organization, then compliance is relatively easy to achieve. Building security into your organization’s culture goes beyond simply complying with regulations. You can implement culture change from the top down with measures of effectiveness and efficiencies, along with metrics to enable successful engagement.
A strong security culture has the potential to increase employees vigilance in protecting electronic assets. This culture can include factors such as ensuring there’s separation between normal user accounts and administrator accounts, verifying there isn’t any sharing of login credentials, and regularly training staff in the risks that lax security behaviors present.
Sum It Up
Now that we’ve identified some common players and their challenges, let’s explore some key trends and regulatory compliance challenges.
Resources
-
External Site: CompTIA: Quick Start Guide to Security Compliance
-
PDF: MIT Management Sloan School: Analyzing the Interplay Between Regulatory Compliance and Cybersecurity
-
External Site: Global Cyber Alliance (GCA): Small Business Toolkit: Backup and Recover
-
External Site: GCA: Small Business Toolkit: Update Your Defenses