It is safe to say that compliance is a major reason that organizations worry about security today. Despite fears of hackers and cyberespionage dominating the news, despite appeals and guidance encouraging enterprises to shift their focus from audits and control checklists to threats and risks, there is plenty of evidence, from healthcare to finance, that complying with laws, regulations, and industry standards remains the biggest driver of security program strategies and budgets.
An interesting and related development is also happening in cybersecurity today, something I think of as a human turn in the industry, a shifting of concern away from technology and security products and towards the individuals that make (or break) security functionality. The “people, process, and technology” triad has always been touted by the industry as a requirement, but people have often been the target of more lip service than action and technology tends to be the industry’s primary focus. Yet we seem to have hit a tipping point of sorts, as more and more ordinary people find themselves uncomfortably in the middle of an apparent epidemic of security failures. Average users who were previously not expected to even understand security are finding themselves labeled “insider threats” liable at any moment to click on the wrong link or attach the wrong file to an email and end up the direct cause of a data breach. Outside the enterprise, these same people are told to worry about their cars being hacked or their medical devices being compromised or their household appliances spying on them. People, both the clueless and the truly bad actors determined to steal, disrupt, and compromise, are now seen as a primary source of risk to information infrastructures.
What I find interesting about the state of people-centric security today is the parallels I see with other industries that have to deal with infrastructure risk. Because in several of these industries, the people side of the equation is being explored and tackled in ways that may have profound implications for cybersecurity. Specifically, these industries treat organizational culture as something that could be both a source of liability and a target of compliance regimes. If the trends in these industries bleed over into cyber, and they probably will, the coming years may see an entirely new evolution of security compliance, one focused not just on specific controls, but on intent, meaning, and culture.
The recent court ruling upholding the Federal Trade Commission’s authority to police and fine companies for poor security practices has prompted discussion and controversy. What’s interesting about the FTC’s authority is how flexible it seems to be. We’re not talking about the traditional compliance focus on specific controls in place or formal activities to ensure security. The FTC appears to have the power to punish companies for not doing security right. That difference is striking, implying that filling out checklists is not enough, an argument that echoes what security professionals like those I cited earlier have been saying. Only now it’s not just advice. Arguably, the ruling means that the FTC could levy penalties for actions that resulted from a culture of insecurity, irrespective of the controls an organization had implemented.
This may seem strange and even unfair to many in the security industry, but it’s not that odd when you look beyond it. Culture has been fair game in a lot of other civil and criminal liability environments. I’ve mentioned safety and risk culture in the context of the automobile industry in a previous post, but today culture is being explored from a compliance perspective, internationally, and in the financial industry too, which suffered its own risk and failure crisis in recent years.
So what could this mean for security? Possibly some pretty interesting things…
- Imagine a security compliance environment where a company can be held responsible not just for its security controls, but for having an overall culture that failed to take security seriously enough.
- Imagine regulations or industry standards that formally require not only employee training and awareness about security risks, but the instilling of an ethical duty to protect and safeguard private or sensitive data on the part of employees.
- Imagine criminal cases and class action lawsuits where expert witnesses are called to convince a jury whether or not the general culture of the environment was one that took security seriously.
- Imagine whistleblowers revealing to regulators or the public the security lapses and vulnerabilities present within their organizations if they believe those things could trigger a data breach or the exposure of large numbers of sensitive records.
These are all common situations that occur outside of cybersecurity. Our industry has been largely insulated from such developments because of the specialized nature of what we do, and the fact that up until recently security problems just didn’t get that much public attention. But all that is changing fast, and no one knows exactly what tomorrow will bring. Something for today’s enterprise security teams to think about.