Regulatory Compliance Mandates Encourage Better Cybersecurity

Cybersecurity risks are directly tied to legal and regulatory risk, according to a recent (ISC)2 Security Congress session. John Bandler, founder of Bandler Law Firm PLLC and Bandler Group, said the legal requirements relating to information governance include cybersecurity, privacy, incident response and breach reporting.

Bandler believes the laws and regulations surrounding regulatory compliance have forced organizations to take a good hard look at their overall cybersecurity. While there may be some in organizational leadership who have long recognized the threats to sensitive data and took steps to prevent risk, the sad truth is most business decision-makers only deploy cybersecurity because they are required to by law.

In an informal poll of session attendees, 42% said their company does not provide enough resources for information security and 71% admitted that laws and regulations help the cybersecurity team get the funding and systems they need.

“In a way, this is a good thing because it is encouraging organizations to do something they wouldn’t ordinarily do,” said Bandler. “The danger is we look at cybersecurity as a matter of legal compliance without first focusing on the goal of protection.”

The Intersection of Laws and Technology

Technology encompasses every moment of our lives, and it intersects with business and law in a lot of ways. Where these three areas overlap is in the area of cybercrime. And no one, said Bandler, can avoid that intersection.

A cybersecurity professional has to understand business and law based on the impact on technology, and a lawyer needs to have a working knowledge of technology risks and how they impact business. Cybercrime falls under either criminal law or civil law. Criminal law will focus on the extralegal aspects of a cybersecurity event or incident, but cybersecurity and data privacy are relatively new areas of civil law.

“The main reason cybersecurity must be of such high priority is criminal activity,” Bandler said. But the criminal justice system currently does a poor job of addressing cybersecurity’s role in cybercrime.

Bandler said there are three areas where there’s a lot of room to improve:

• Cybercrime needs better investigation and prosecution

• There’s a great need to develop a higher degree of deterrence

• InfoSec professionals play an important role in these investigations

Every cybercrime should be investigated, Bandler added, because if you don’t investigate and bring threat actors to justice, there is nothing to deter them from becoming bolder and more aggressive in their attacks—which is what they are doing.

“Even low arrest rates would serve as some kind of deterrence, and we have none in cybercrime,” he said. There is also the duty of the justice system to protect consumers if they become a victim of cybercrime through a corporate data breach.

Regulatory Compliance and Cybersecurity

The varying legal requirements can be confusing and may use different terminology to say the same thing, but it is up to each individual organization’s decision-makers to understand what regulatory compliance mandates and which laws surrounding cybersecurity and data privacy they must follow.

“First, you want to follow the spirit of that law and the primary goals of that law, which are security and protection of your organization and to protect the consumers,” said Bandler. “We don’t ever want to say, ‘Let’s check that box to comply with the regulation’ without thinking of those overall goals.”

Bandler suggested organizations take the following steps to make sure legal requirements are in tandem with compliance and cybersecurity:

• Identify applicable external rules (laws and regulations set by federal, state and industry standards)

• Seek guidance to build security frameworks

• Create (or update) internal rules so they are compliant with external rules

• Ensure action follows those rules

But you shouldn’t look at regulatory compliance goals as separate from the company’s overall cybersecurity goals.

“Always remember the first priority,” said Bandler, “protect the organization first, and compliance will follow.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba