Security leaders need to focus on minimum effort, not minimum compliance

Experian's Michael Bruemmer takes a Security Slap Shot on the need to harness regulations to drive better security and not just minimum compliance

Security leaders need to focus on minimum effort, not minimum compliance
Thinkstock

Is the drumbeat of compliance enough to boost security programs?

Or does the focus on meeting compliance distract us and divert resources away from building the protection we need?

That's the topic of a recent conversation I had with Michael Bruemmer, vice president of Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach planning and breach response.

Michael Bruemmer’s Security Slap Shot:

It’s time to drive cybersecurity by doing the right (and responsible) thing, not just the minimum to meet regulations.

As the Global Data Protection Regulation (GDPR) looms nearer, effective in May 2018, we are seeing a mixed-bag approach to preparedness. Some companies are taking time to reflect on their privacy and security policies, while others are treating it as a “check the box” exercise, if even that. In fact, a recent study conducted by The Ponemon Institute, Data Protection Risks & Regulation in the Global Economy, revealed that over half (59 percent) of companies do not understand what they need to do to comply, and in a misguided effort to do so, 34 percent are already closing overseas operations.

While concerned by the overall lack of awareness and action from companies to address the GDPR, the forecast isn’t all gloomy. On a brighter note, 40 percent of respondents said their companies are taking steps to get ahead of the impending deadline, including investing in new technologies or services, conducting compliance assessments and appointing a data protection officer under the regulation.

That’s precisely what we need more of in security: proactive efforts to understand, assess and act.

In an increasingly fast-paced world, assessing can get cast as inaction. But the effects of demanding immediate results, particularly in cybersecurity, can be detrimental to the long-term success of an organization. This mindset of “get it done” rather than “do it right” creates the conditions where people ask for the minimum set of actions and tools to comply instead of making the right decision for the organization. Yet the companies that take time to assess reap big rewards. Take, for instance, a 2016 study on the cost of cyber crime that found companies that assessed their information management and governance practices and technology needs saved $1 million to $3 million.

If you first understand the regulations, the sensitive data your company holds and current cybersecurity practices/procedures, you put yourself in the position to make a difference. For security leaders, this means reaching out to the business leaders, including the C-suite and board of directors. Not just asking them what they think, but working alongside them to better understand their needs. It also means executives need to include security leaders in strategic discussions to help them get a sense of priorities and guide areas of focus.

At the end of the day, companies need to stop worrying about the myriad of regulations and trying to do the bare minimum for each, rather they need to develop a comprehensive policy that, yes, meets the regulations, but also maximizes the benefits for the organization and consumers. What we see time and time again is that the companies who are prepared save money—not just in hard costs, such as insurance premiums and third-party services, but in the more holistic manner in which they approach overall cybersecurity. For example, proper assessment and preparation can help companies demonstrate they have taken reasonable and appropriate actions in the face of a breach, potentially limiting their liability and protecting their reputation.

My analysis (some color commentary)

I have first-hand experience working on programs that assessed both the current environment and regulatory requirements before suggesting a course of action. Taking the time to better understand the situation always created better outcomes. Often it created a bit of "future-proofing" against regulation changes because we thought about trends and likely improvements.

A lot of that work drives my sideline focus on “minimum viable security”—what Mike outlined as a minimum effort to get better results. I like the focus.

Your turn—react!

How do we work within the industry to meet regulations by doing right by security? Or does striving for the minimum regulation have a better benefit?

Post your comments on our Facebook page, or take it to Twitter and talk with me (@catalyst) and others.

Ready… set… REACT!

SUBSCRIBE! Get the best of CSO delivered to your email inbox.