At BraveIT 2019, TierPoint’s Chief Security Officer Paul Mazzucco headed up a discussion with Forrester’s principal analyst for cybersecurity and IT compliance, Renee Murphy and John Toney, the cyber risk Advisor for EY on trends, tactics and advice for managing compliance and cybersecurity in 2020.
Virtually every private or public business, government agency and non-profit organization is required to comply with data privacy and security regulations. Some may have to comply with a dozen or more regulations from different countries, states or provinces and local governments. Moreover, new regulations and updates to existing ones are released every year as emerging technologies such as edge computing, the Internet of Things (IoT) and social media require new types of protection.
Compliance can be a confusingly complex undertaking, but one which IT security managers must address or risk heavy penalties as well as the potential loss of customer trust. Penalties are becoming more severe. For example, the European Union’s General Data Protection Regulation (GDPR), which applies to any organization that collects or holds data on a resident of the EU, mandates a fine of between 2% and 4% of revenue for infractions. For a company with revenues of $50 million, that can mean a $2 million fine.
Key insights and advice on compliance and cybersecurity in 2020
Paul Mazzucco interviewed Toney and Murphy about key issues in compliance management. Following are a some of their key insights from Inspection! The 2020 Security & Compliance Audit:
Balancing security and business needs
Paul Mazzucco: Often, a security regulation or best practice makes it impossible to satisfy an end-user’s demand for some new application or capability. How do you suggest that IT respond when security requirements conflict with a business need?
John Toney: The first rule of security is ‘what problem are you trying to solve?’ You need to break down [their request] and figure out what problem they want you to solve. Work on what it that the business really needs. Then you can figure out how to make it happen without breaking security requirements. Sometimes you have to be a bad guy in the situation and say ‘no.’ At P&G we decided to take away USB capabilities from users in 146 countries. I was the guy who had to say to 110,000 employees, ‘you don’t get to use USBs anymore.’ I got a lot of nice hate mail. But sometimes that’s necessary.
How the US should approach GDPR
Paul Mazzucco: A lot of people are worried about the EU’s GDPR regulations. U.S. states have begun passing GDPR-style laws. What do you see down the line in the U.S.?
Renee Murphy: The reason companies are paying so much attention to GDPR now is the high penalties, which are 4% of your gross revenues. In the U.S., companies are OK with paying a $250,000 fine and going on doing whatever they want. But with GDPR, they’re realizing this is a severe financial risk and they to fix it. Frankly, the best-case scenario would be for all of America to get (GDRP)--for the federal government to step in and level the playing field. That will happen when 49 of 50 states have GDPR.
Addressing the transfer of risk
Paul Mazzucco: Many IT managers assume that, if their cloud provider is compliant, then they are too. Is that a fair assumption—the idea that you can pass the risk onto your provider?
Renee Murphy: It’s a viable assumption, but you want to transfer that risk, you need to work closely with your partner and make sure you also transfer your compliance requirements. It’s not in the cloud provider’s best interest to do your risk management or change management for you. That’s a whole lot of liability you’re asking them to take on. So, you need to make them understand your service level requirements and what kind of disaster recovery you require and so on. They typically provide the platform that happens to be HIPAA or ISO compliant. The rest of it is on you.
Watch the full BraveIT session on cybersecurity and compliance
Watch the full session below for more insights on cybersecurity and compliance tactics:
More content from BraveIT 2019
There were multiple panels and sessions at BraveIT, covering topics such as: What 5G will mean for IT organizations, hyperscale vs. hyperconverged infrastructure, IT transformation stories from experts and much more. Watch the full sessions on BraveIT TV. Interested in participating in BraveIT 2020? Pre-register for BraveIT 2020 today.