Chief information security officers (CISOs) love to laugh at ridiculous compliance regulations. In the financial industry, for example, some organizations are forced to comply with Regulations Systems Compliance and Integrity (RegSCI), Commodity Futures Trading Commission (CFTC) rule 39.18, the Committee on Payments and Market Infrastructures (CPMI), the International Organization of Securities Commissions (IOSCO) and Principles for Financial Market Infrastructure (PFMI) Principal 17.

The problem with regulatory compliance is not the rules that are self-evidently absurd, it’s the ones that sound reasonable on their own but impose a huge burden collectively. Federal, state and local governments are cramming thousands upon thousands of new compliance regulations down our throats each year, and that creates big problems for CISOs.

Drowning in Regulatory Compliance Requirements

Each regulator seems to think it can ensure its immortal legacy by issuing standards that are a bit different. Some security experts might argue that regulatory mandates help toe the line for corporations large and small, but it is becoming vastly overcomplicated, especially for small organizations that lack resources.

Consider the Dodd-Frank legislation that aimed to prevent another financial crisis. It’s purpose was to create transparency, stop banks from taking excessive risks, prevent abusive practices, and seize tottering, too-big-to-fail financial firms. That law spanned 843 pages — that’s 23 times longer than the Glass-Steagall law that followed the Wall Street crash of 1929. Dodd-Frank became outrageously demanding when regulators filled in further compliance details beyond its original purpose.

For example, the Cybersecurity Information Sharing Act of 2015 (CISA) is designed to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” Unfortunately, the law has no teeth. Many industries opposed it despite the fact that the idea of sharing intelligence surfaced frequently in discussions. The political climate often tears the best intentions along ideological lines, and that weakens legislation for an end result of not striking a proper balance with respect to security and privacy.

So small businesses are being choked by excessive compliance regulations and large, global firms are forced to increase resources to comply with regulations. The business environment is now so incredibly toxic that many leaders have simply given up trying to work within the system, and security pays the price.

The Role of the Compliance Auditor

Business leaders often complain that auditors advise how to be in compliance by dictating what to do without regard to the organizational context. This conflict commonly occurs when an inexperienced auditor fails to understand an organization’s resources, size and wherewithal to remediate findings efficiently. Small organizations may benefit from this gap since it may be easier to enact small positive changes or alter policy, but it can irritate leaders of large firms.

A compliant environment is not necessarily a secure one, and acheiving compliance is an unreliable method of reducing risk. This sometimes leads CISOs to challenge auditors, counting on management to support their views. Ironically, no individual can reasonably know how to comply with overcomplicated regulations such as Sarbanes-Oxley Act (30,470 words), the Affordable Care Act (400,038 words) or Dodd-Frank Act (377,491 words), let alone the many other rules and regulations applying to businesses today.

A Path Forward

Many of these complex regulations are redundant, with each placing a different spin on its meaning and wording. Security frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and others often overlap, so it’s important to map out specific regulations to address any redundancy.

Remember, a CISO’s focus, regardless of specific compliance requirements, is to safeguard corporate data and, in turn, protect employees, patients, vendors, customers and shareholders. Know the requirements of the regulations you must comply with. Read them, study them, and perform audits and assessments against them. Stay current on interpretations, rulings and news regarding these mandates.

When I headed the internal audit department with a previous employer, these data compliance audits were rarely scheduled. Most regulators prefer unannounced audits to make it harder for companies to sweep issues under the rug at the last minute. You have to be prepared.

In practice, audits can be performed directly by the examination and enforcement staff of the regulatory agency itself. In other cases, third-party examiners, such as accounting firms acting under the oversight of a regulatory agency, may conduct compliance audits. It is therefore critical to work closely with internal auditors to prepare for these events should a breach trigger an unscheduled audit.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read