How much is enough? With the continuing evolution of compliance requirements and regulations surrounding cybersecurity and privacy, many companies are finding it challenging to figure out what is actually expected of them. The regulatory compliance alphabet soup, including FISMA, GDPR, CCPA, and CMMC, are beginning to drive data security and privacy around the world, but often include vague requirements that leave people wondering what needs to be done. As we continue to see data breaches in the news, more regulations are being created to force organizations to improve their practices and better protect people’s data, but how do we know when what we’re doing is enough?
Security and privacy are not often business drivers, but rather business enablers. As new and evolving regulations are forcing businesses to protect people’s information, it is easy to focus only on meeting those regulatory requirements rather than considering what is important for running the business securely. This often leads to individuals focusing on the problem of the day without considering the bigger picture and causing them to lose track of their key business drivers. Security and privacy are critical in today’s world but can be a barrier to productivity if not implemented thoughtfully which leads people to ask the question, “how much is enough?” Regulations are often written at a high level and can be ambiguous, putting the burden to translate them on the people running the business. Taking a risk-based approach to understanding these requirements can help streamline this effort and simplify the process of figuring out what is enough.
The question stands though, how can someone ensure they are implementing the requirements appropriately and are doing enough? The answer is by managing their risks in a risk register. What is risky and what is enough varies widely between organizations based on their business goals and the industries they operate in. Regulations are often written at a general level because they have to be flexible enough for many types of organizations to implement them, but still specific enough for organizations to understand their objectives.
Managing risk is not a new concept, and many organizations are used to talking about financial and operational risk, but the risks that data can bring are often not given enough attention. A risk register is a great place to start when considering the risks that data can bring to a business. By taking a methodical approach to understanding and identifying what could harm a business, people can gain confidence in their practices and create a mechanism for prioritizing future investments and resources. Developing a risk register forces organizations to think about the types of data the organization handles and stores. This can go a long way when trying to understand the data security and privacy risks and decipher compliance requirements.
To do this, a company should consider specific threats and vulnerabilities that might introduce risk to their business. Would any of the data the business uses be valuable to an outside party? Does anyone outside of the company use the data as a part of normal operations? Are personnel trained on proper handling of data? These questions can help organizations understand what types of sensitive data they have, how it is being handled today, and develop potential scenarios for how their data could be disclosed, modified, or lost. By capturing these scenarios in a risk register, the organization can begin to understand the types of concerns the business may have, where these concerns could lead to noncompliance, and how to prioritize these concerns based upon the likelihood and impact of the scenario occurring.
Many of the new regulations coming out today are primarily focused on preventing leaks or breaches and have been created to protect the confidentiality of data. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both have a focus on protecting the confidentiality of personal information including an individual’s name, address, Social Security number, etc. The new Cybersecurity Maturity Model Certification (CMMC) program is focused on protecting the confidentiality of U.S. Defense Controlled Unclassified Information (CUI). With all this focus on the protection of data confidentiality, it can be easy to forget about the integrity and availability of the data which may be equally or even more important to organizations, depending on their business priorities. A risk register helps prioritize these different types of risks to ensure they are not overlooked.
Using a risk register to capture and manage risks can help organizations better understand their unique risks and prevent them from focusing solely on their regulatory requirements. While compliance requirements are critical, data security and privacy should not be driven by these regulations alone. In a risk register, an organization can be as general or as specific as they need to be. A small retail shop may be able to create a few general risk events that cover a significant amount of their business such as a disabled or nonfunctional credit card reader causing them to not be able to process credit card payments from customers. However, if they have a store loyalty program, this may introduce additional risks such as a customer’s personal information being stolen due to an insecure credit card reader or stolen laptop.
Developing a risk register to understand the unique risks a business faces provides the first steps to answer the question, “how much is enough?” By discussing the likelihood and impact of these events to occur, organizations can begin to understand how risky a security or privacy event would be to their business and what might happen if the risk was exploited. While compliance is necessary for doing business, it shouldn’t be driving the business. What is enough will be different for everyone, but it doesn’t have to be a mystery. When in doubt, consider the risks and implement capabilities to prevent them from being exploited.
Kelly Hood
Kelly Hood supports organizations across industries to develop and implement strategies to manage the cybersecurity risks to their business and meet cybersecurity best practices, controls, and standards. As a member of the NIST Cybersecurity Framework team, Kelly supported the evolution and outreach of the Cybersecurity Framework throughout the v1.1 update cycle. Recently, Kelly has also supported the CMMI Institute in the development and expansion of the CMMI Cyber maturity Platform. The patent-pending approach she helped develop for CMMI translates cybersecurity risk to cyber maturity goals and identifies mitigation strategies to help organizations improve their cybersecurity capabilities.
