The information technology world has changed very quickly in just the last few years. Not just the adoption of the cloud as a preferred data center and the changing knowledge requirements of IT practitioners - information security has taken on a whole new meaning. And because technology leads policy by a goodly amount, we're finding ourselves having to catch up quickly. When your surveillance cameras are weaponized to take down parts of the Internet, something’s gotta be done.
Options to pull ourselves out:
- Legislative leadership to impose regulatory requirements, define illegal activities and create a greater role for local law enforcement (this will be the subject of a later blog.)
- Industry self-regulation, through the creation of standards and adoption of market forces.
- The public-private hybrid: use of the government purse to enhance the uptake of demonstrably secure products (ala FedRamp). That's already happening a bit, as is the creation of the equivalent of a "UL" listing for products that meet standards (which hopefully include plans for ongoing patching, upgrades and maintenance.)
In parallel, what is emerging is being driven both by regulators and the private sector is a focus on third parties. While industry comes up with their own standards of what they'll buy and what they won't, the dangers of suppliers and vendors with network access or interconnected services has become an elephant in the room that has the potential to affect everyone.
So here we are. Legislative gridlock (and that's being generous), technology rapidly outpacing policy, everyone being sued, and needing to control the poorly engineered, poorly deployed, and barely maintained Internet of Things that's already bitten us. Emerging response: push liability and security expectations onto third parties, in part through expanding the purview and reporting requirements of existing regulatory requirements.
Regulatory agencies expanding their purview:
- HHS/OCR - Covered entities must now report ransomware events
- SEC - Leveraging large breaches to expand controls/risk reporting
- FTC - Deceptive trade practice fines are being used against breached companies
Regulations expanded to cover vendors, service providers:
- PCI - service provider security now in scope
- HHS/OCR - HIPAA business associates now subject to HIPAA audit
What do we make of this information? I think at this point, and this is especially true for those of us in the information security service provider business, is that regardless of whether your company is under regulatory requirements that specify an expectation for cyber security controls, if you are a vendor or service provider to those sectors that are, the microscope is being focused on you right now and your expectation should be that your controls reflect that.
Secondarily, market-driven security should be encouraged through procurement processes. Markets have a wonderful ability to “freeze out” products, services and vendors that diminish security, just by applying a little more “score” to products that can be demonstrated as free of security defect, and with maintenance plans that keep them that way. In my view, this will proceed apace and has the potential to move the needle far more effectively than regulation.
Type your search and press enter
- Threat Intelligence
- Happy Hour
- InfoSec 101
- Security Awareness
- Public Sector
- Financial Services
- Press Release
@critinformatics | Aug 21, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read insights from @seattlemkh on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/lv2f12C9FL https://t.co/a7FaBge9UL
@critinformatics | Aug 21, 2018RT @beyondnegative: Yay for stable internets! Go download my presentation and workshop outline/notes on Github: https://t.co/APcsUxxzS7
@critinformatics | Aug 21, 2018#ICYMI: Learn the 5 key questions that the #CISO should consider when conducting #riskassessment, and how those answers can support budget requests for the #cybersecurity program. https://t.co/lLibAzTUWF https://t.co/cVudQc4f23
@critinformatics | Aug 20, 2018#ICYMI: [VIDEO] It's #NewsJacker time with CI Security's #CISO @seattlemkh! Get caught up all the recent #InfoSec news you need to know, including stories on stolen data, privacy, #InfoSec litigation, Russia’s election meddling, and more. https://t.co/qsixvM7rI0 https://t.co/0Z4waKbRKy
@critinformatics | Aug 20, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read @seattlemkh's insights on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/nW5RBUG4k8 https://t.co/83WQ7FqkJ3