As a veteran security practitioner, I can attest that the cybersecurity and information security landscape has evolved dramatically in the last 30+ years. At the beginning of my career in IT, the ability to recover data from a hard disk drive was just starting to become possible, and the first computer viruses were problematic at times but they were often more annoyances than anything else.
The cybersecurity landscape has changed over time, but like all technology-based bodies of knowledge, it is now in a state of constant evolution with bad actors evolving techniques and tools, conversely, cyber defenses are adapting to address new threats. Part of this cyber evolution includes cybersecurity legislations meant to help protect against the various types of cyber threats out there.
According to the United Nations Conference on Trade and Development (UNCTAD), 80% of countries worldwide have what the UNCTAD refers to as “cybercrime legislation” with an additional 5% of countries with draft legislation. Now, this count by the UNCTAD is quite comprehensive by including e-commerce type legislations, consumer protection, privacy and data protection, and cybercrime but obviously all these legislations are relevant to a cybersecurity practitioner. Business leadership needs to at least be aware of how these various cybersecurity legislations might impact the organization. Based on the UNCTAD count, there are more than a few hundred cybersecurity legislations across the globe, and furthermore, many of us in cybersecurity must be aware of and maintain compliance with some regulated standards and frameworks (e.g., ISO/IEC 27001, NIST, SOC, PCI-DSS, etc.).
How can you keep up with all this information?
There are a few tips to help any security or privacy practitioner wade through the sea of compliance requirements out there. Firstly, a quick definition of legislated versus regulated compliance, as I see it: legislations are similar to laws, by being requirements that are defined and approved by governments for application to their citizens or within their borders, whilst regulations are requirements that are typically defined by an industry or practice body.
An example of a cybersecurity legislation would be something like GDPR or the Singapore Cybersecurity Act (CSA). Examples of regulatory types of compliance might be the increasingly common requirement in lottery and gaming for certification against ISO/IEC 27001 or the requirement by the PCI Council for entities that process payment card transactions to be compliant with PCI-DSS.
Despite there being some semantics involved here between cybersecurity legislations and cybersecurity regulations, I believe that most cybersecurity professionals do not have time to make the distinction when they are considering what is applicable to their organization.
When I worked as a CISO or a vCISO, during the early days in my role, my goal was to always get a list of applicable cybersecurity legislation put together (including regulatory compliance requirements) for the organization. Once I understood what was applicable, I could then start to build a security roadmap to:
- Implement compliance
- Measure compliance
- Report compliance
- Improve upon compliance
By mapping the various compliance requirements, I could also look for commonalities between the various legislations, and thereby, apply compliance once to address many legislation or regulation requirements. This can be a daunting task if you start from scratch yourself but there are some free tools out there to help you get this done, for example: NIST publishes their SP 800-53 framework in a spreadsheet (called their Control Catalog Spreadsheet) and organizations such as the Cloud Security Alliance publish their control framework in spreadsheet format as well but mapped against other frameworks and standards, such as ISO/IEC 27001. Using these already built spreadsheets, you can start your mapping exercise. Now, there are also commercial tools out there to help you navigate some of this landscape but many of those do not include privacy legislations so be sure you choose a tool that includes the content that you need (because, otherwise, you can probably build your own spreadsheet just as efficiently and for a lot less money).
Free online resources such as the ones I mentioned previously, unctad.org, can help you to start to scope the legislations that apply to your organization but be aware that some legislations have evolved to be applicable to the data of their citizens regardless of where the data ends up. For instance, the New York Shield Act and the California Consumer Protection Act (CCPA) are both USA State-level government privacy legislations but if your organization, for example, is based in the UK, and it has US client data for citizens of New York State or California, then those State-level legislations could apply to you. It is important to scope your compliance requirements and to ensure that you have completed your compliance mappings.
Luckily, there are many commonalities among various legislations across the globe and we can see this very clearly when we apply the two security triads, which many of us have learned in our study of the core ISO/IEC cybersecurity standard: ISO/IEC 27001, The Confidentiality, Integrity, and Availability (CIA) triad and the People, Process, and Technology (PPT) triad can both be used as lenses to focus your view of the multitude of cybersecurity legislations in the world. With regards to cybersecurity, you are always looking to protect data or assets by applying both of these triads, the same applies to data privacy protection. In addition, data privacy legislation has some commonalities, for starters: consent, use, disclosure, and correction are some of the common principles of data privacy. As a cybersecurity leader or influencer, if you keep these core security principles in mind and as foundational material for your security programs, then you can, in my opinion, better navigate the cybersecurity legislations in scope for your organization.
What if you are not a cybersecurity leader or influencer and you want to provide relevant security guidance to non-cybersecurity audiences?
When I am communicating with senior management or even to the Board level, I frame the cybersecurity discussion in the context of the business by:
- Converting technical or cybersecurity specific information into the language of what the actual threat to the organization looks like (e.g., ransomware can cause loss of access to assets so what would that cost the business in each case? Rather than describing ransomware and how it can be combatted)
- Avoiding the Fear, Uncertainty, Doubt (FUD) approach (e.g., ransomware is everywhere and it is getting worse and we will lose everything if it hits us!). FUD is similar to the fable of Chicken Little who went about saying the sky is falling constantly until no one listened anymore.
If there is one thing that this global pandemic has taught us, it is that no matter how bad we know the situation is now or can become, we all get fatigued by being given nothing but negative news. As responsible adults or responsible cybersecurity practitioners, we cannot ignore reality and pretend everything is fine because that will solve nothing and potentially make things worse. We do what we can to help the situation and this type of solution-driven discussion is a great way to push your cybersecurity agenda forward. With regards to cybersecurity legislations specifically, looking for ways to make the applicable legislations work for your organization can make compliance more functional, as opposed to being just a check box exercise (e.g., by getting your operations teams to document their processes and procedures as part of compliance you can now rely on documented information available to anyone who needs it at any time).
What if you are a busy non-cybersecurity person who needs to know enough to understand the cybersecurity needs?
There are online news sources available to the busy non-security team member: PECB Insights magazine, PECB webinars, and PECB Conferences are a few good examples, and there are others out there. In addition, I have personally seen Board members be recommended to complete some basic cybersecurity training so they can at least understand the context of data and privacy protection in their organization. Ultimately, you will need to find the best way for you, to swim through the ocean of cybersecurity legislations out there and, as with all things these days, you should expect a lifelong learning experience on this topic!