Taking on Heightened Security and Privacy Concerns
2018 demonstrated that cyber threats are far from being tackled. Not only did attacks continue unabated, the new darling of regulation — privacy — came squarely into the spotlight in 2018. Coalfire’s Adam Shnider discusses how in 2019, we can expect compliance and governmental bodies to set the bar even higher to protect data with more expansive and rigorous compliance guardrails — and enterprises to work to meet the challenge with smarter technology and streamlined processes.
While it may appear that enterprise security teams and compliance frameworks have stepped up their game to address cybersecurity risk, this past year evidenced the fact that cyber threats are as present as ever. We predict the following compliance trends will rise to the top in 2019:
1. Compliance in the Cloud
For years, companies have been diving deeper into the cloud, moving more critical functions over for the scalability, efficiency, effectiveness and usage-based pricing models it affords. Yet many enterprises have been hesitant to move functions requiring security compliance into cloud solutions. In 2018, we saw more companies get comfortable leveraging the tools, features and functions native to cloud service provider (CSP) offerings, moving more regulated functions to cloud-based services. Expect this trend to continue and escalate in 2019 as CSPs demonstrate their high level of security and compliance expertise in their native environments.
It will not stop at moving the functions, though: organizations that move to the cloud to really leverage the benefits will be re-engineering their technology stack to take advantage of the elasticity that the cloud provides, which requires a whole new skill set to deploy infrastructure as code, and doing this with security in mind will be an absolute necessity for protecting data and also meeting compliance requirements.
2. Privacy Gets Hotter, Merges with Security Efforts
Before companies mined and shared customer data for targeted marketing and other uses, security efforts addressed privacy concerns by building security controls to ensure the confidentiality of data (as a part of the Confidentiality, Integrity, and Availability [CIA triad] charter of cybersecurity). Once data sharing and big data analytics became a modus operandi and individuals’ desire to have their data deleted and “forgotten” was supported by regulations such GDPR, cybersecurity measures didn’t go far enough to address privacy.
Today, privacy continues to heat up globally with new regulations in Brazil and at the U.S. state level with regulations like the California Consumer Privacy Act and others likely on the horizon both at the state and federal level. The lines between security and privacy are blurring yet again; in meeting GDPR, companies must demonstrate adequate security measures to protect consumer data. In meeting compliance regulations, such as GDPR, many of our customers are taking the additional step of addressing all relevant privacy and security regulations simultaneously. Expect to see privacy regulations continue to expand in 2019 and security and privacy to continue to merge as these regulations not only focus on the confidentiality of the data, but also the right of the consumer to gain access to their data (availability) and ensure its accuracy (integrity), as well as the right to be forgotten.
Along with the move to the cloud and building infrastructure from code, companies will look to automate the validation process by embedding ways to gain visibility into the routine, repeatable and predictable parts of compliance into their architectures. This will allow companies to understand their security in these areas on an ongoing basis and also help streamline the validation process by reviewing dashboards and output from the environment rather than performing manually intensive sampling reviews that are becoming much less relevant and effective as environments are becoming more dynamic with newer technologies. By embedding automated dashboards into the enterprise security monitoring architecture, organizations can not only streamline their annual compliance efforts, but also have real-time visibility into their security status.
4. Simplification of Assessments
“Audit fatigue” isn’t just a catchy marketing phrase, it’s a reality for many enterprises. Many organizations today have to comply with multiple regulations and requirements, and as companies continue expanding into new regulated markets, they will be faced with new compliance frameworks — and it is likely to get even more complex (who would have thought 10 years ago that large retailers would be selling medical services and requiring HIPAA assessments?).
Conducting assessments and compliance cycles separately is not only time-consuming, it’s incredibly inefficient considering the many overlapping operational components that exist to manage the systems that support each set of data across the frameworks. In 2019, look for enterprises to align their assessment and compliance cycles, and expect a single assessment to be performed that can cover all of the requirements at one time for greater efficiency, cost savings and improved resource usage, allowing enterprises to focus the lion’s share of their year on other business drivers.
5. Emerging Tech Meets Compliance
As emerging technology goes mainstream, regulatory bodies begin to increase their interest in understanding the risk and determining changes to existing or new compliance requirements. We are at the cusp of seeing regulation around emerging tech, such as IoT, blockchain and artificial intelligence (AI). NIST recently released the draft report, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” to help federal agencies understand and manage device cyber risks. It is the first of a series of IoT documents; more will follow and become more specific on various aspects of IoT risk. We also closed out 2018 with the announcement of a new U.K.-based voluntary cybersecurity standard for the manufacturers of autonomous vehicles. We predict 2019 will see more orchestrated efforts to employ security standards on these technologies to ensure a baseline of controls is applied to their implementations in regulated environments.