This post is also available in: 日本語 (Japanese)
Why regulation may not be the inhibitor you think to evolving your cybersecurity.
A while back, I remember chatting with some fellow researchers about how, one day, there would be more lawyers than cybersecurity experts, as the definition of what is commercial remote administration software versus malicious backdoor software was in debate. Thankfully, that reality hasn’t come to pass. However, in an increasingly regulated society, we have seen a raft of new requirements come into force impacting cybersecurity and digital activities generally, such as GDPR (General Data Protection Regulation), NISD (Network and Information Security Directive), and PSD2 (Payment Services Directive version 2), all in the EU, CCPA (California Consumer Privacy Act) in the U.S., just to name a few. There are many others in existence, and more on the way around the globe.
All these laws carry one common theme: how to enable an increasingly digital society to be safer, which is, I’m proud to say, close to our own company’s mission statement “to protect our way of life in the digital age by preventing successful cyberattacks,” thereby creating a world where each day is safer and more secure than the last.
My concern, however, is that often I hear security experts talking about why they can’t do what they need to as a result of some of the above new regulations. For example, they can’t put my security data in the cloud due to GDPR concerns. This, by the way, simply isn’t true. GDPR’s Recital 49 states the following, which, in laymen’s terms, validates that cybersecurity is there to help protect personal data and recognises that it is legal to process personal data for the purpose of security, provided companies maintain limited use and proportionality.
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
Even though I’m not a lawyer and mine is not legal advice, GDPR does not, in any way, appear to suggest we shouldn’t use new security capabilities, be they cloud or any other, to make cybersecurity better tomorrow than it is today.
Typically, cybersecurity regulation is focused on raising cybersecurity capabilities and adding in consistency, the latter being a very tough challenge in a space that is so dynamic. This is why so much of the new legislation uses quite abstract terms, such as “security by design and default” and “taking into account the state of the art”. Legislation quite simply doesn’t change at the same pace as technology innovation; fortunately, regulators understand that.
As such my challenge is simple. It’s easy to use regulation as a reason NOT to do something new or different, yet truly that’s not the purpose of the laws. New legislation aims to push us to raise our game, help make each day safer that the last. Look at how new legislation empowers you to do so. Don’t get caught up in the speculation and urban myths of what you can’t do, but instead check the facts, seek your own legal guidance, and leverage new regulations to raise the bar of your own capabilities. Evolution happens at pace in cybersecurity, and we must continue to challenge ourselves every day as to how we play our own role in making each day safer than the last through innovation.