Chief information security officers (CISOs) love to laugh at ridiculous compliance regulations. In the financial industry, for example, some organizations are forced to comply with Regulations Systems Compliance and Integrity (RegSCI), Commodity Futures Trading Commission (CFTC) rule 39.18, the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO) and Principles for Financial Market Infrastructure (PFMI) Principal 17.

The problem with regulatory compliance is not the rules that are self-evidently absurd, it’s the ones that sound reasonable on their own but impose a huge burden collectively. Federal, state and local governments are cramming thousands upon thousands of new compliance regulations down our throats each year, and that creates big problems for CISOs.

Drowning in Regulatory Compliance Requirements

Each regulator seems to think it can ensure its immortal legacy by issuing standards that are a bit different. Some security experts might argue that regulatory mandates help toe the line for corporations large and small, but it is becoming vastly overcomplicated, especially for small organizations that lack resources.

Consider the Dodd-Frank legislation that aimed to prevent another financial crisis. It’s purpose was to create transparency, stop banks from taking excessive risks, prevent abusive practices, and seize tottering, too-big-to-fail financial firms. That law spanned 843 pages — that’s 23 times longer than the Glass-Steagall law that followed the Wall Street crash of 1929. Dodd-Frank became outrageously demanding when regulators filled in further compliance details beyond its original purpose.

For example, the Cybersecurity Information Sharing Act of 2015 (CISA) is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Unfortunately, the law has no teeth. Many industries opposed it despite the fact that the idea of sharing intelligence surfaced frequently in discussions. The political climate often tears the best intentions along ideological lines, and that weakens legislation for an end result of not striking a proper balance with respect to security and privacy.

So small businesses are being choked by excessive compliance regulations and large, global firms are forced to increase resources to comply with regulations. The business environment is now so incredibly toxic that many leaders have simply given up trying to work within the system, and security pays the price.

The Role of the Compliance Auditor

Business leaders often complain that auditors advise how to be in compliance by dictating what to do without regard to the organizational context. This conflict commonly occurs when an inexperienced auditor fails to understand an organization’s resources, size and wherewithal to remediate findings efficiently. Small organizations may benefit from this gap since it may be easier to enact small positive changes or alter policy, but it can irritate leaders of large firms.

A compliant environment is not necessarily a secure one, and acheiving compliance is an unreliable method of reducing risk. This sometimes leads CISOs to challenge auditors, counting on management to support their views. Ironically, no individual can reasonably know how to comply with overcomplicated regulations such as Sarbanes-Oxley Act (30,470 words), the Affordable Care Act (400,038 words) or Dodd-Frank Act (377,491 words), let alone the many other rules and regulations applying to businesses today.

A Path Forward

Many of these complex regulations are redundant, with each placing a different spin on its meaning and wording. Security frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and others often overlap, so it’s important to map out specific regulations to address any redundancy.

Remember, a CISO’s focus, regardless of specific compliance requirements, is to safeguard corporate data and, in turn, protect employees, patients, vendors, customers and shareholders. Know the requirements of the regulations you must comply with. Read them, study them, and perform audits and assessments against them. Stay current on interpretations, rulings and news regarding these mandates.

When I headed the internal audit department with a previous employer, these data compliance audits were rarely scheduled. Most regulators prefer unannounced audits to make it harder for companies to sweep issues under the rug at the last minute. You have to be prepared.

In practice, audits can be performed directly by the examination and enforcement staff of the regulatory agency itself. In other cases, third-party examiners, such as accounting firms acting under the oversight of a regulatory agency, may conduct compliance audits. It is therefore critical to work closely with internal auditors to prepare for these events should a breach trigger an unscheduled audit.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…