Digital transformation and the increased regulatory burden

March 2021  |  SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

March 2021 Issue


The UK Computer Misuse Act (1990) is one of the early pieces of legislation for securing computer material against attack. This Act, which came into being before the introduction of the world wide web and ubiquitous internet access, and when mobile phones were still bricks carried around by those we called ‘yuppies’, is still in force today.

Now it faces several challenges as it seeks to regulate criminal activity in a very different world. To say the world has transformed since the implementation of the Act is an understatement. Mobile devices are now more powerful than many of the mainframe computers of 1990, many businesses rely on cloud services, and the internet is an essential part of many people’s daily lives.

The advancement of technology we have seen in the last 30 years is driving a transformation in businesses as they seek to keep up with the changing markets. Digital transformation is essential if organisations are to survive in the modern world and is leading to technology being at the heart of most businesses, whether that is through the adoption of cloud, mobile or Internet of Things (IoT)-connected devices.

While this transformation has been underway for a number of years, it is now reaching critical mass as organisations increasingly move critical infrastructure and systems to adopt new systems. Manufacturing plants, transport systems, utilities and healthcare increasingly rely on connected devices. Sensitive and regulated data is also moving beyond traditional organisation network perimeters, as cloud services are used to build and deliver services, and data is digitally shared between organisations.

Organisations no longer have the same control, or illusion of control, over data that they had in the past, and there is almost no business that will not be affected by the loss of digital services or data. The global pandemic has accelerated the pace of adoption of digital technology; however, we must acknowledge that organisations that were further along with their digital transformation were able to adjust more quickly to a mass increase in remote work, and others need to accelerate their journey. Either way, this means organisational resilience and survival relies on digital security like never before.

This increasing reliance on technology, particularly by critical infrastructure organisations, raises genuine concerns for citizens, organisations and governments about the resilience of our systems and data privacy. As data moves beyond organisational and country boundaries, we must ask ourselves: how can it be protected from abuse? How do we ensure that a business is able to be resilient to interruptions in IT service?

Combine this with the increasing prevalence and pervasiveness of cyber attacks and there is a genuine concern over resilience of the critical infrastructure of a country. Governments are asking: how do we ensure that we are resilient against a cyber attack hitting major infrastructure and financial services? How do we ensure businesses are taking the steps needed to protect themselves and the services they provide?

This has led to an expansion in regulation. What do governments typically do when they face risks they cannot control? They regulate. This is the major recourse they have to ensure that organisations are taking the minimal steps needed to protect themselves and to enforce the values and outcomes they need to see for a sector. The challenge we face is that each industry, sector or geography will implement its own regulations.

At the same time, older pieces of legislation may not disappear and must still be complied with. The Computer Misuse Act is still in force in the UK, but does not provide the safeguards it once did, and actually makes some cyber threat intelligence activities more difficult. For global organisations, this can create a major headache as they seek to build policies and procedures that allow them to operate legally across jurisdictions and regulations.

The first step is not to build a pure compliance culture, as this can stifle innovation and interrupt the digital transformation that is essential to the operation of the business. It is important to address regulations while still pursuing business goals. There are plenty of examples of organisations that have focused on the checkbox without demonstrably reducing their risk. The payment card industry data security standard (PCI/DSS) came about because credit card providers could see that not even basic security measures were being taken, so they specified standards on what was needed.

However, many organisations focused just on complying with the standard, not on the reason for its existence, treating it as the extent of their security rather than the minimum. The lack of a prescriptive standard is one of the reasons the General Data Protection Regulation (GDPR) is unpopular. It uses phrases such as ‘state of the art security’ and ‘risk-based approach’, which makes it very difficult to design a checklist for compliance. If you are building systems that are going to make use of personal data, it is your responsibility to assess that risk and ensure you are providing appropriate steps to protect it. If you do not maintain good security practices and unnecessarily expose that data, you will be held liable.

Risk and compliance professionals directly supporting the business can truly make a difference in enabling them to navigate the right route to success. They need to be focused on how to achieve business success, but in a way that makes the organisation resilient and helps it to comply with regulations designed to enable that.

It is important to look at the business goals and risk profile of the organisation, including both its strategic goals and the regulatory and compliance environments in which it operates. Building a cyber resilience strategy around the organisation’s own policies and controls is essential to success. Look at the risk outcomes that the organisation is trying to achieve and map to that any controls that may be needed. The organisation should focus on developing its own risk management framework that it can use to map to the regulations it must meet in each jurisdiction.

The US National Institute of Standards and Technology (NIST) framework has gained a lot of popularity because it is focused on the risk and desired outcome for each of the needed areas, rather than individual controls or approaches. Using a framework such as this as the basis for an organisational risk and compliance programme can allow the business to be more adaptable to different legislative requirements, and in many cases provides more security. This is the approach that cloud companies take; they have their own controls, standards and policies against which companies are built.

Complying with a new regulation involves mapping its requirements against the company’s existing control framework. In most cases the existing controls will be sufficient. Where possible, if an adjustment is needed, it should be made to the whole control framework rather than just for that jurisdiction. This helps to provide consistency and manage risk holistically across the world. Where there are specific requirements, such as data residency, that may need geographical or industry specific approaches, and there should be a documented, proven process for implementing them to ensure it can be maintained.

Maintaining global compliance in a constantly connected and evolving world can be difficult using traditional compliance management processes. Traditionally, a lot of these compliance processes were run in spreadsheets, and very difficult to manage in a dynamic and changing digital organisation. Implementing approaches to automate compliance, e-discovery and reporting are essential to success. This is particularly true in cloud services, where capabilities are continually evolving, and agility is key. Ensuring that the guard rails are in place to prevent a non-compliant implementation, rather than relying on point-in-time audit, provides more reassurance that regulatory requirements are being complied with and allows issues to be detected and contained as quickly as possible.

As our world becomes more digital and business transactions rely more on connectedness and the sharing of data, we can increasingly expect the number of regulations to increase, and old legislation such as the Computer Misuse Act to be updated. This is a reality of business in a digital world. Evolving automated and efficient methods of managing compliance will be essential.

 

Siân John is chief security adviser at Microsoft. She can be contacted on +44 (0)118 909 4786 or by email: sian.john@microsoft.com.

© Financier Worldwide


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.