Chief information security officers (CISOs) love to laugh at ridiculous compliance regulations. In the financial industry, for example, some organizations are forced to comply with Regulations Systems Compliance and Integrity (RegSCI), Commodity Futures Trading Commission (CFTC) rule 39.18, the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO) and Principles for Financial Market Infrastructure (PFMI) Principal 17.
The problem with regulatory compliance is not the rules that are self-evidently absurd, it’s the ones that sound reasonable on their own but impose a huge burden collectively. Federal, state and local governments are cramming thousands upon thousands of new compliance regulations down our throats each year, and that creates big problems for CISOs.
Drowning in Regulatory Compliance Requirements
Each regulator seems to think it can ensure its immortal legacy by issuing standards that are a bit different. Some security experts might argue that regulatory mandates help toe the line for corporations large and small, but it is becoming vastly overcomplicated, especially for small organizations that lack resources.
Consider the Dodd-Frank legislation that aimed to prevent another financial crisis. It’s purpose was to create transparency, stop banks from taking excessive risks, prevent abusive practices, and seize tottering, too-big-to-fail financial firms. That law spanned 843 pages — that’s 23 times longer than the Glass-Steagall law that followed the Wall Street crash of 1929. Dodd-Frank became outrageously demanding when regulators filled in further compliance details beyond its original purpose.
For example, the Cybersecurity Information Sharing Act of 2015 (CISA) is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Unfortunately, the law has no teeth. Many industries opposed it despite the fact that the idea of sharing intelligence surfaced frequently in discussions. The political climate often tears the best intentions along ideological lines, and that weakens legislation for an end result of not striking a proper balance with respect to security and privacy.
So small businesses are being choked by excessive compliance regulations and large, global firms are forced to increase resources to comply with regulations. The business environment is now so incredibly toxic that many leaders have simply given up trying to work within the system, and security pays the price.
The Role of the Compliance Auditor
Business leaders often complain that auditors advise how to be in compliance by dictating what to do without regard to the organizational context. This conflict commonly occurs when an inexperienced auditor fails to understand an organization’s resources, size and wherewithal to remediate findings efficiently. Small organizations may benefit from this gap since it may be easier to enact small positive changes or alter policy, but it can irritate leaders of large firms.
A compliant environment is not necessarily a secure one, and acheiving compliance is an unreliable method of reducing risk. This sometimes leads CISOs to challenge auditors, counting on management to support their views. Ironically, no individual can reasonably know how to comply with overcomplicated regulations such as Sarbanes-Oxley Act (30,470 words), the Affordable Care Act (400,038 words) or Dodd-Frank Act (377,491 words), let alone the many other rules and regulations applying to businesses today.
A Path Forward
Many of these complex regulations are redundant, with each placing a different spin on its meaning and wording. Security frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and others often overlap, so it’s important to map out specific regulations to address any redundancy.
Remember, a CISO’s focus, regardless of specific compliance requirements, is to safeguard corporate data and, in turn, protect employees, patients, vendors, customers and shareholders. Know the requirements of the regulations you must comply with. Read them, study them, and perform audits and assessments against them. Stay current on interpretations, rulings and news regarding these mandates.
When I headed the internal audit department with a previous employer, these data compliance audits were rarely scheduled. Most regulators prefer unannounced audits to make it harder for companies to sweep issues under the rug at the last minute. You have to be prepared.
In practice, audits can be performed directly by the examination and enforcement staff of the regulatory agency itself. In other cases, third-party examiners, such as accounting firms acting under the oversight of a regulatory agency, may conduct compliance audits. It is therefore critical to work closely with internal auditors to prepare for these events should a breach trigger an unscheduled audit.
Listen to the podcast: Directors Are From Mars, CISOs Are From Venus
Chief Information Security Architect, Securityminders