The Value Of Separating Compliance And Enterprise Cyber Security Goals
The General Data Protection Regulation, a mandate from the European Union (EU), went into effect May 25, 2018. The regulation is comprehensive insofar as protecting data and information security practices at the enterprise level. Somewhat similar opt-out legislation, the California Consumer Privacy Act (CCPA), went into effect January 1, 2020.
Those who are not compliant with these laws run the risk of receiving steep fines. To provide some background on the GDPR regulation, Cyber Security Hub created a market report offering end-user “best practices” and stack GDPR up against other international measures on compliance. Further, it provides insight on separating compliance measures and technical, security-driven events in the enterprise.
Cooperation Is Key To Data Privacy Transformation
While the GDPR reveals numerous challenges for multinational organizations, it underscores the importance of interdepartmental communication and cooperation.
Due to its broad scope, GDPR requires “complete transformation” within the organization. Data privacy and cyber security law expert Jamal Hartenstein said, “Cooperation and engagement of senior management, and forming the right team will be key to successful GDPR maturity.”
As its effects trickle down to various business units, different departments may need to document a process-flow diagram of how data traverses their enterprise, Hartenstein said.
The broad nature of the regulation demands attention from customer service technicians, network management employees, public affairs, backup and disaster recovery employees, the legal department, and more.
Similarly, Glenda Lopez, Director of Global Risk and Compliance at The Henry M. Jackson Foundation for the Advancement of Military Medicine said that “the overall culture of an organization embracing security and the rapid changes is key.”
She continued: “People, process and technology are crucial to maturity as security has tentacles and touches everything within an enterprise. Security practices should not be soiled. It has been and always will be an enterprise-wide job and involves the entire organization.”
Compliance Versus Security
With the expanding workload of today’s chief information security officer (CISO) and other members of the security team, it’s tough to draw a line in the sand between security operations and compliance measures. In order to be compliant, one must have a calculated security posture.
In order to be tightly buttoned-up, one must be compliant with the governing frameworks and mandates. In order to reach both optimal security and compliance, one must thoroughly understand the organization’s risk profile.
This is a complex and evolving territory in the security space – and it extends far past the CISO, up the corporate ladder to the board and even employee base.
Still, Hartenstein advocated a careful delineation between the two. He said that compliance measures and technical, security-driven events are not of similar inception. Compliance measures check off regulatory check boxes. Conversely, security-driven events are applicable to enterprises even without exposure to compliance laws.
“It’s not safe to assume or associate ‘compliance measures’ with what would be adequate technical security to protect either your prized data, or consumer data,” Hartenstein said. “The difference is that regulatory bodies are indeed in place to protect consumer data. Compliance exists as a floor, a minimal standard, a barrier to entry. Technical, security-driven events in an enterprise should be aimed to surpass (not just meet) the bar that regulators set.”
Separating Security And Compliance Goals
The cyber expert warned against approaching security and compliance under the same strategic goal or business objective.
While objectives for the two seem outwardly similar, they are vastly different at the organizational level. “Compliance measures may limit your liability in court or mitigate the threat of litigation, while technical security measures are aimed to actually protect your data or address risks unique to your enterprise.” For strategic planning purposes, the two must be firmly distinguishable.