Digitization is invading all aspects of business, government and daily living. As a result, we are facing myriad new possibilities and new demands. Now more than ever, security must be addressed pervasively across the growing community of those with whom we connect, both directly and indirectly.
Awareness of this need is driving continued proliferation of regulations, standards and guidance that touch on security architectures and their deployment, internally and across the third party ecosystem.
While public-private partnerships and governments worldwide are responding, they are doing so in a sometimes divergent manner. Today, while we recognize the criticalityof security, it is also evident we live in a divided and often confusing world of security practices and requirements. That division has had some unique and varied manifestations recently.
In the last 6-8 months, we have seen an assortment of efforts at the state, regional, national and multinational level. Here are just a few examples:
At the U.S. Federal level, NIST has added cyber supply chain risk to the latest draft revision of the Cybersecurity Framework, the Department of Homeland Security issued its Strategic Principles for Securing the Internet of Things, and we are awaiting the President's Executive Order to enhance national cybersecurity.
Feeling the need to go beyond the guidelines of the nation of which it is a part, New York State introduced cybersecurity standards and requirements for financial institutions.
Internationally, the People's Republic of China enacted a cybersecurity law requiring foreign companies to provide China's government with potentially sensitive information about network equipment and software. In addition, the European Union's Directive on security of network and information systems requires companies in critical sectors – such as energy, transport, banking and health – to adopt risk management practices and report major incidents.
So what is a multinational or multiregional enterprise to do? For some time now, I suspected that this growing body of security “guidance” would interest lawyers and actuaries. Why? The challenge to “get security right” is forming a de facto legal standard of care. This standard of care could then be used to define “negligent action” for which an enterprise may be liable.
Key baseline areas that can work to ensure enterprise-level operational efficiency and potentially protect against liability for “security negligence” include:
- Setting forth specific software development security baselines,
- Identifying those public sources listing vulnerabilities of which we MUST be aware, and
- Establishing baseline mitigation techniques that are within the “appropriate” level of care.
We must look beyond our own enterprises. In a connected world, each of us connects with a changing, and often growing, third party ecosystem. This external ecosystem is also a source of security liability. If you are not fully recognizing the security impact of third party ecosystem, there is a yet another reason for liability concern.
What can we do to address this third party security risk and ensure security for our customers? I propose the following:
- Identify the key players in your third-party ecosystem and understand what those third parties deliver to you,
- Develop a flexible security architecture that can be shared with and deployed across the variety of third parties in your ecosystem,
- Assess whether those third parties are operating within the tolerance levels set by your security architecture, and
- Be alert to new security risks that the ecosystem may present as digitization increases.
The news is good: while a new era of security liability may be upon us, reasonable baselines of care for your enterprise and your third party ecosystem will not only enhance your enterprise security, they may just keep the lawyers and actuaries at bay.
