Companies should spend less time worrying about meeting the minimal requirements for cybersecurity regulation compliance, and instead concentrate on how to protect their most sensitive data and operations. And if they followed that rule of thumb, government compliance would naturally follow suit, according to a panel of experts speaking today at SC Congress Chicago.
“Think about [cybersecurity] divorced from the regulatory landscape,” said David Glockner, regional director at the U.S. Securities and Exchange Commission's Chicago Regional Office, which has its own set of guidelines for publicly traded companies. Rather, “Think about it from a business perspective: What is your most sensitive information? What are your most sensitive operations and what vulnerabilities do you have? And thinking about how you protect what's critical to your business operation in most instances is going to get you most, if not all of the way, toward being… compliant.”
After a company evaluates its own cybersecurity business needs, then it can look more closely at its regulatory obligations, based on the sector in which the business and its partners operate, Glocker continued. (Glockner emphasized that his opinions are not necessarily reflective of the SEC.)
Jerry Irvine, CIO at Chicago-based IT outsourcer Prescient Solutions, said that his company encounters many businesses who make the mistake of building their cybersecurity policies around meeting the minimum requirements of compliance.
“Compliance does not equal security,” said Irvine, noting that his company stresses to clients the need to create “a risk management framework… as opposed to simply being compliant.”
The first thing organizations should do when creating this framework, Irvine noted, is “define your crown jewels” – the assets that are most important to one's company – and then implement the levels of security necessary to protect them.
The ability to effectively analyze one's own cyber risks becomes even more important as additional government agencies – whether imposing guidelines or investigating computer crimes – weigh on how companies should protect themselves. But is the U.S. cybersecurity table getting a little too crowded? Irvine worries this might be the case, and suggested that one entity should take the lead.
“Unless there is one organization that is responsible for each of [these agencies] to develop their standards and to develop their specific security requirements… how are we going to know that they're all maintaining the level of security and performance – the confidentiality, integrity and accessibility – that they require?”
But Glockner said that it's not really possible or practical for a single entity or authority to be in charge of all cybersecurity concerns, especially since virtually every industry sector has assets on the Internet. In other words, while SEC can help monitor or enforce cyber compliance that protects investors and the integrity and resiliency of the markets, it is not equipped to ensure that private health-care organizations, for instance, are following recommended security practices.
Fortunately, Glockner believes that collaboration between government agencies has improved significantly in recent times. “I think that there is a lot of coordination and communication between different government agencies, that has gotten markedly better even within the three years that I've been at the SEC.”