With major data breaches occurring on a regular basis, and European regulators setting new precedents that global-oriented businesses must follow, U.S. lawmakers are actively working to toughen cyber security and data privacy regulations here in the United States.
The California Consumer Privacy Act (CCPA), already in effect, is one such example. But with other states moving in the same direction, it won’t be the last. Similar in scope to Europe’s General Data Protection Regulation (GDPR), which has led to high-profile investigations of companies like Google, Facebook and Uber, the CCPA is designed to hold key leaders legally responsible for their organization’s failure to protect data.
Cyber Security Resources: ‘The Good, the Bad & the Ugly’
Many CIOs and CISOs have long understood the risks of a lax approach to cyber security, but simply haven’t had the resources available or executive authority to make the sweeping, organization-wide changes necessary to meet them. Those changes require action in three directions: security, privacy and risk, or the SecPrivaRisk model, as we call it.
SecPrivaRisk integrates security, privacy and risk management in a way that meets new regulatory needs, while also anticipating further developments in consumer data protection and privacy laws. As such, it offers a valuable model of action, whether you’re interested in locating and shoring up potential gaps in your current strategy or looking to completely overhaul your cyber security program.
Based on the most-likely assets of businesses with $2 billion or more in annual revenue, the model identifies three known paths for successfully managing SecPrivaRisk obligations:
- A one-time security consultant or auditor (including Virtual Chief Information Security Officer, or vCISO)
- An ongoing relationship with a cyber security services provider that’s framework-focused and includes maintenance
- A professional law firm with cyber security and data protection as its areas of expertise.
Each of these resources has a “good, bad and ugly” aspect. First, each offers specific advantages — e.g., the “Good.” The right cyber security services provider, for instance, will provide highly specialized expertise to help you implement a strategy that follows an established cyber security framework (CSF). Similarly, a legal partner will offer important attorney-client privileges to help keep your initial audit confidential.
But each also has its downsides — e.g., the “Bad.” A law firm will provide expert guidance, but at a steep price, and leaving the creation and execution of any formal strategy entirely in your court. A one-time consultant may bridge this gap by helping craft strategy, but their more attractive initial rates can quickly become inflated if they’re retained past the initial contract period — a not-unlikely scenario based on the need for ongoing diligence.
Taking all this in leads to the conclusion that the best path forward is utilizing each of these resources in coordination with one another. That hard truth is what we call “the Ugly” part of the equation: That you’re most likely going to have to plan, budget and hire for all three of these paths to some degree.
Facing the Hard Truths about Cyber Security — and Understanding the Solutions Available
What we call the “Ugly,” then, is a formidable task that includes:
- Coming to terms with the fact that compromise is inevitable
- Orienting your entire organization to embrace a cyber security mindset as a whole
- Finding the budget for each of the three steps needed to demonstrate that you’re doing everything in your power to protect sensitive data
- Integrating data privacy policies into your final cyber security model
Failing to address each of these concerns can lead to real consequences. Operationally, you may struggle to retain clients and attract new ones without a formal strategy for compliance. Even more seriously, in light of the CCPA, attorneys have delivered the alarming news that the executive suite and even the boardroom can be held accountable for perceived negligence in cyber security leadership.
That legal obligation alone should offer all the incentive you need to justify the inclusion of these concerns in your annual operating budget. (If that’s not enough, consider the recently proposed Mind Your Own Business Act, which threatened jail time for executives found to be acting dishonestly in terms of data security and privacy.)
There’s a pattern here: Lawmakers are figuring out that CIOs and CISOs don’t have the authority to distribute the “budget beans” needed to really address cyber security. By placing the legal obligation on company leaders, they’re effectively forcing the issue — and the budget spend, and its justification — on companies as a whole.
A Job That’s Too Big for Your IT Department
Understanding the need to tackle this challenge on an organization-wide scale, and acknowledging their own personal levels of risk, any executive leader, board member or controller who decides to force this spend into an IT budget isn’t just miscalculating, but may be exposing themselves to personal legal risk.
Let’s face it, your IT department can’t magically save the day here. Even if they had the legal expertise and executive authority to tackle cyber security on a system-wide basis, it’s unlikely that they have the feet on the ground to do so. Most IT teams are dreadfully overloaded and suffering from tool fatigue. They’re riddled with annoying alarms, notifications, alerts, and false smoke signs going off 24x7x365.
We’ve come to expect our IT teams to be the first responders for everything with a blinking light, the handymen of digital systems and services when employees need tweaks. We demand them to be firefighters when software goes up in flames, EMTs when a system emergency flares up, doctors when older computers need treatment, surgeons when technical miracles are necessary to survive.
But the game has changed. Getting up to speed on cyber security, and implementing the system-wide improvements needed to meet the challenge, is a task for your entire organization, not just IT. Firing CIOs and CISOs for security breaches isn’t getting the job done — it’s time to accept the responsibility and open the purse strings enough to meet the new obligations of cyber security.
It’s Not Too Late to Get Tough on Cyber Security
Whether we admitted it to ourselves or not, we all knew this day was coming. Consider the recent statistic that 97% of organizations are expected to increase their spend on data privacy in the coming year. There’s an understanding that we’re headed for a blood bath in compliance, with regulatory agencies actively seeking companies to make examples of — and a desire to avoid being that example.
To satisfy these regulators, then, organizations should be prepared to offer a “blueprint” for cyber security and privacy. And crafting that blueprint requires a deep understanding of current compliance requirements (locally, nationally and globally, if applicable). It also requires highly skilled, authoritative technical writing that clearly and confidently lays out your official data security posture.
It’s no small task, and it shouldn’t be, either. Especially in light of the many work-from-home scenarios caused by COVID-19 — and the heightened risk to data security those home workers represent — the need for a comprehensive and fully updated cyber security is more urgent than ever. If you’re not actively working on everything we’ve discussed here, you’re already behind, and likely ceding ground to competitors who understand that tomorrow’s leaders will be those who take immediate action on cyber security today.
Full disclosure: Many of the cybersecurity and privacy service areas outlined here are offered by Omnistruct. We can help provide the expertise you need to ensure that your cybersecurity efforts meet today’s regulatory and commercial demands. We don’t practice law, but we do have attorneys on staff who can recommend law firms to meet your specific privacy needs.
The clock is ticking: Contact us here to set up a complimentary consultation with an Omnistruct cyber security specialist.