Strategic cybersecurity is compliant by design

Industry standards, federal and state government legislation and international regulations are shifting at a rate that often exceeds organisations’ ability to keep up with cybersecurity compliance. In Australia, revisions to the Privacy Act are under consideration, Queensland is introducing its own data breach notification rules and critical infrastructure laws are likely to change. Throw in revisions to standards such as NIST, PCI DSS and others and compliance starts to become a never-ending game of ‘whack-a-mole’.

And that’s where the problem lies. When you see compliance as a thing you need to do rather than a way of working, it becomes an arduous and costly exercise. Compliance should not be the specific goal. Compliance should be the by-product of systems and processes that are designed from the outset to be secure. When you design systems to protect confidentiality, integrity and availability of data they become compliant from day one.

Build on a risk-based foundation

Most cybersecurity strategies are built by taking a risk-based approach. Typically, a group of people come up with a list of possible risks, assess the impact and likelihood of each risk, map them on a matrix and build contingency plans for the most likely and highest impact risks. But this approach is reactive. It focuses on taking action after an incident or event has occurred.

One approach to managing compliance is taking a zero trust approach to system and process design. Despite the rhetoric of many vendors, zero trust is not a product that you can buy in a box. It is a set of principles that are applied throughout design and implementation.

One of the most common risks faced by organisations is credential theft. HaveIBeenPwned has almost 13 billion stolen accounts in its database. The compliance-based response to this is to follow guidelines, such as those published by NIST, that specify length, complexity and cycling rules for passwords.

At a recent security forum, the CISO of Wesfarmers One said his organisation takes a zero trust view on user accounts and operates on the assumption all passwords are already breached. Instead, its systems are designed to detect and block anomalous activity.

This approach ensures compliance with the goal of protecting personal and business data the company holds and vastly simplifies life for end users as they no longer need to change passwords every 30 days.

We see the impact of compliance every time we are prompted to provide a code through a multifactor authentication (MFA) system. MFA is a response to the need to comply with stronger authentication because usernames and passwords don’t provide sufficient strength to comply with data protection requirements.

Pre-emptive compliance

Compliance with standards such as the Essential Eight, NIST and ISO270001 is important. It establishes that an organisation takes information security seriously and has taken steps to protect systems and data. But by designing and building systems and processes with sound information protection practices compliance becomes a far simpler issue to manage. When security is added after a system is designed and implemented, it usually adds costs and complexity for users. But when it’s included in the design, compliance costs are reduced, and user complexity can be minimised.

While there are many different security standards, by taking a risk-based approach to design that understands the goals and obligations of different compliance regimes it’s possible to be simultaneously compliant with multiple standards. For example, all security standards now include obligations around data encryption. Applying strong encryption that abides by industry standards, an organisation can be compliant with multiple standards.

The goal of compliance is to provide a set of minimum standards that enable organisations to protect data and systems. When systems are designed with that in mind, two birds are effectively hit with one stone. Systems are compliant with regulatory obligations, and they are more secure by design than they would otherwise be. Organisations shouldn’t approach cybersecurity to meet compliance requirements. They should analyse their risk profile and tailor the right protections from concept to design and through to implementation and beyond.

Image credit: iStock.com/bubaone