The list of regulatory compliance challenges facing companies grows longer every time a new regulation is introduced. But do security regulations even work?
The original version of this post was published in Forbes.
If having a long list of rules is the best way to fix a seemingly incorrigible (and growing) problem, then we ought to be headed for a golden age of data security and privacy.
After all, the European Union’s General Data Protection Regulation (GDPR), which took effect this past May, is described as a “261-page beast” by EnterpriseReady, although if you eliminate a lot of white space, you can get it down to “only” 88 pages of dense text.
Either way, there are 99 articles within 11 chapters that cover everything from securing data to reporting breaches to a consumer’s “right to be forgotten,” although that right is not absolute.
The impending California Consumer Privacy Act (CCPA) doesn’t officially take effect until Jan. 1. But it might as well be in effect now since organizations needed to have their data collection systems in place by the start of this year.
It runs “only” a few dozen pages, but is packed with requirements—some of them more extensive than those in the GDPR—about giving consumers control of their data: to know what a company has collected, how it’s used, who it gets shared with, and so on.
And those are just the new ones. For 23 years as of this past week, we’ve had HIPAA (Health Insurance Portability Accountability Act), which mandates the security and privacy of personal medical information. It runs more than 160 pages.
We’ve had FACTA (Fair and Accurate Credit Transaction Act), aimed at protecting against identity theft, since 2003.
Beyond that, the online world is littered with “standards” and “best practices” for securing software—the PCI DSS (Payment Card Industry Data Security Standard) and the NIST (National Institute of Standards and Technology) Cybersecurity Framework are two of the most prominent.
Along with those are organizations like OWASP (Open Web Application Security Project), BSA-The Software Alliance, and the ISO (International Organization for Standardization), which publish security best practices.
The frameworks don’t have the force of law, but failure to follow some of them can result in sanctions and legal liability.
And yet, with all that in place or soon to be in place, nobody is saying it’s time to retire the “privacy is dead” mantra that has prevailed for more than a decade. Nobody is suggesting that personal information—health, financial, location, affiliations—is appreciably less vulnerable to cyber criminals.
Indeed, there are so many headlines about data breaches and ransomware attacks that most of us have grown numb to them.
And while there are multiple reasons, most of them come down to a single word: compliance. Rules are only effective if everybody follows them—all of them, all the time.
That’s not easy. Regulatory compliance is complicated, expensive, and full of challenges. Four years ago, experts were talking about “compliance fatigue,” given the number of standards and regulations organizations had to follow regarding the collection, sharing, and security of data.
At the time, Rich Mogull, CEO and analyst at Securosis, said companies had been struggling with the issue since SOX (Sarbanes Oxley), aimed at protecting investors from accounting fraud, became law in 2002. “Some CISOs spend 30% or more of their time dealing with compliance issues,” he said.
And that was when GDPR was still just a gleam in the EU’s eye.
So perhaps, even with the threat of megafines against organizations that violate security and privacy regulations, that is why regulatory compliance remains uneven.
Dorian Cougias, co-founder and compliance scientist at Unified Compliance Framework, said while “overall” compliance is improving, it is slow—very slow. “Glacial-pace gradual versus fast-turtle pace,” he said.
But he said GDPR and CCPA have prompted companies to get much more serious about privacy and to understand better “where their data lives,” how it is processed, stored, and used.
And Daniel W. Berger, an independent consultant with The Palisade Group and former president and CEO of Redspin (now a division of CynergisTek), said compliance with HIPAA “has steadily improved over the past few years.”
“The Meaningful Use program, which made HIPAA risk assessments (HSRA) mandatory for attestation, helped raise awareness enormously,” he said. “Today, most health systems conduct HSRAs annually.”
However, there is other evidence that progress is not just slow, but perhaps regressing. The 2018 Verizon Payment Security Report noted that after five straight years of increases in the percentage of companies in full compliance with the PCI DSS (a total fivefold increase), it dropped from 55.4% in 2016 to 52.5% in 2017.
The report said this was due to an increasing lack of security controls. “Many of the security controls that were missing cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach,” it said.
And while HIPAA has reported only a few multimillion-dollar settlements for violations in 2019, as of last week it had logged 541 reported breaches for the year, most involving hundreds or a few thousand records. That’s an average of more than two a day.
That doesn’t mean organizations don’t care about compliance. The recent 2019 Cloud Security Report by Cybersecurity Insiders and supported by Synopsys found that organizations during cloud migration felt a top challenge was maintaining regulatory compliance.
But it does raise an obvious question: Is requiring compliance with multiple regulations and standards the most effective way to improve data security and consumer privacy?
Chris Clark, senior manager, embedded ecosystems, at Synopsys, said while the regulations are “well intended and have provided a level of control on PII (personally identifiable information), they really have not adapted at a pace necessary to address the current data landscape.”
Beyond that, he said, even companies that try to comply aren’t always able to. “We have seen a multitude of successful attacks on organizations that fall under these standards. In many cases the organization has attempted to meet requirements outlined by a standard but did not take all aspects or implementation details into account. The standards need to evolve to delve deeper than process,” he said.
Another reality is the long-established mantra of experts that “compliance is not security.” In other words, following all the rules, while it will help, doesn’t mean you’re bulletproof, since regulations generally don’t keep up with the evolution of threats.
Berger said he regularly reminds clients of the difference. “The overriding concern with the HIPAA model is that it is very possible to be compliant without being secure,” he said. “Regular penetration testing, vulnerability analysis, and social engineering exercises—particularly ‘phishing’—should be conducted in addition to HSRAs.”
Cougias adds that data security doesn’t equal data integrity, and that there isn’t really a “best model” for that, especially in cloud deployments.
“Data integrity is about protecting data from unauthorized or unplanned modification or deletion. In the cloud, with highly diverse solutions, or even a multi-cloud environment, data integrity can be tricky,” he said.
Yet a third challenge is that while all these standards and regulations share a similar goal, they are not all the same. Compliance with one regulation doesn’t mean you’re even close to complying with them all.
There are efforts to make things less complicated, The PCI Security Standards Council (SSC), which develops the PCI DSS, announced in July that it was “mapping PCI DSS to the NIST Cybersecurity Framework,” with the goal of illustrating how “meeting PCI DSS requirements may help demonstrate achieving NIST Framework outcomes for payment environments.”
But there are still multiple differences among standards. Cougias notes that yet another impending privacy law, Nevada’s SB 220, which is set to take effect in October, “has more explicit rules for the sale of personal data than does CCPA or GDPR.”
“For instance, SB 220 states that once a person opts out, the organization can never sell or transfer their data, while with CCPA that only lasts for 12 months before the user has to opt out again,” he said.
He recommends that organizations “collect all of the laws and regulations they have to follow and then harmonize them into a suite of Common Controls. They can then use those Common Controls to divide and conquer their work.”
“There are going to be inconsistencies among all of the laws and regulations,” he said, “and the organization’s legal counsel and leadership will need to decide which aspects of the model to embrace and which to ignore at the level of risk they are willing to accept.”
With those and other flaws, however, nobody so far has come up with a better overall model than regulation. While there have been hopes that the consumer market would reward organizations that focus on security and privacy and reject those that don’t, it hasn’t happened. Consumers are still much more dazzled by features than security, and industry has responded to that incentive.
Troy Leach, chief technology officer at the PCI SSC, contends that “every industry benefits from standards that establish good practices for consistent results. Security standards are no different. Compliance is simply demonstrating those practices are consistently applied as expected.”
He said when companies struggle with compliance, “it often is a result of lack of understanding or not investing in the right methods and technology to make the effort easy to repeat.”
“The most important thing,” he said, “is that companies create and maintain a culture of security.”
Our new eBook 4 Software Compliance Gotchas to Avoid outlines how you can overcome regulatory compliance challenges by building security into your applications throughout the development life cycle.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.