The adage that rules were made to be broken could be a catch phrase for today's cybercriminals, but the security professionals working to stop them don't have the option to do whatever they want—particularly when the rules are government regulations. The penalties are high and the risks are far too great to become a regulation rebel who fails to appreciate that regulatory compliance isn't optional, particularly, when significant reputational impact is at stake.
However, for regulation realists, the professionals committed to continuous compliance, it can be tough to find firm footing on a regulation-intensive landscape constantly being altered by new rules in almost every region and on nearly every legislative level. Organizations are focused on making compliance simple and easy to understand for their team members and demonstrate compliance to their customers.
These issues are explored by the Security for Business Innovation Council (SBIC) in its latest report, "Taming Cybersecurity Regulation Mayhem: Laying the Groundwork for the Regulatory Rush."
The report by the SBIC, a group of top security executives and thought leaders from Global 1000 enterprises, comes at a particularly busy time for regulation realists. Depending on industry type, company size or global footprint, a number of major regulations are either now in effect or coming soon, such the new European Union General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. SBIC members have plenty of relevant advice for organizations looking to minimize the burden of legislation that may impact their security postures, including:
- Get going: Regulatory changes are moving. Don't be lulled into inaction by changes going into effect over what seems like a long period, because organizations often leave themselves with too much to do in too little time.
- Compliance is becoming more costly, but it's a critical investment: Today, security is an essential long-term investment in the future success of a company, and regulations are part of that investment.
- You can't rely on hope: Many small and mid-sized companies believe they won't be affected, but that mindset is based on little more than hope, and that's not an effective or realistic approach.
Besides offering a clear-eyed look at the regulatory landscape and its requirements, the SBIC report also outlines three essential strategies that regulation realists can use to handle what's ahead:
- Move from checking the box to framing the risk - Companies must develop agile, proactive security frameworks that optimize their resources, rather than trying to make do with a minimal "check the box" approach.
- Harness collective insight - The daunting demands of regulation can't be met if an organization doesn't fully tap available knowledge and resources across all internal and external resources such as information published by a regulator.
- Maximize the power of automation - The sheer number of regulations makes it essential to capitalize and embrace automation in an organization's systems to ensure compliance and improve cross-enterprise collaboration.
The report offers much more detail and insight from SBIC experts. As regulatory challenges for organizations globally become more complex and crucial to business, it's critical for regulation realists to make sure their thinking is comprehensive, agile, and up-to-date.