The information technology world has changed very quickly in just the last few years. Not just the adoption of the cloud as a preferred data center and the changing knowledge requirements of IT practitioners - information security has taken on a whole new meaning. And because technology leads policy by a goodly amount, we're finding ourselves having to catch up quickly. When your surveillance cameras are weaponized to take down parts of the Internet, something’s gotta be done.
Options to pull ourselves out:
- Legislative leadership to impose regulatory requirements, define illegal activities and create a greater role for local law enforcement (this will be the subject of a later blog.)
- Industry self-regulation, through the creation of standards and adoption of market forces.
- The public-private hybrid: use of the government purse to enhance the uptake of demonstrably secure products (ala FedRamp). That's already happening a bit, as is the creation of the equivalent of a "UL" listing for products that meet standards (which hopefully include plans for ongoing patching, upgrades and maintenance.)
In parallel, what is emerging is being driven both by regulators and the private sector is a focus on third parties. While industry comes up with their own standards of what they'll buy and what they won't, the dangers of suppliers and vendors with network access or interconnected services has become an elephant in the room that has the potential to affect everyone.
So here we are. Legislative gridlock (and that's being generous), technology rapidly outpacing policy, everyone being sued, and needing to control the poorly engineered, poorly deployed, and barely maintained Internet of Things that's already bitten us. Emerging response: push liability and security expectations onto third parties, in part through expanding the purview and reporting requirements of existing regulatory requirements.
Regulatory agencies expanding their purview:
- HHS/OCR - Covered entities must now report ransomware events
- SEC - Leveraging large breaches to expand controls/risk reporting
- FTC - Deceptive trade practice fines are being used against breached companies
Regulations expanded to cover vendors, service providers:
- PCI - service provider security now in scope
- HHS/OCR - HIPAA business associates now subject to HIPAA audit
What do we make of this information? I think at this point, and this is especially true for those of us in the information security service provider business, is that regardless of whether your company is under regulatory requirements that specify an expectation for cyber security controls, if you are a vendor or service provider to those sectors that are, the microscope is being focused on you right now and your expectation should be that your controls reflect that.
Secondarily, market-driven security should be encouraged through procurement processes. Markets have a wonderful ability to “freeze out” products, services and vendors that diminish security, just by applying a little more “score” to products that can be demonstrated as free of security defect, and with maintenance plans that keep them that way. In my view, this will proceed apace and has the potential to move the needle far more effectively than regulation.