SOME REASONS WHY CYBER REGULATION DOESN’T WORK
Some good observations from the Internet Security Alliance (ISA) in Washington.
You can hear much more about these issues from a European perspective in our forthcoming course:
CYBERSECURITY: AN EXECUTIVE INTRODUCTION TO MANAGING DIGITAL RISK
Independent research shows that even the most highly regulated industries for cybersecurity such as health care and financial services are not achieving adequate levels of cybersecurity, and in fact don’t score better on security effectiveness than less regulated sectors like IT and professional services. We have also documented that even the highly regulated federal government sector scores poorly with respect to cybersecurity effectiveness.
We have also stressed that the quick finger pointing of the accountability police who suggest it’s the avarice, incompetence, ignorance or simply lack of care for security that is the fundamental problem are mis-analyzing the situation – badly. To be sure there are a certain percentage of incompetent or uncaring individuals in industry – and government –who are in charge of managing organizations information security, but this lack of accountability by CIOS and their staff is not the fundamental problem with cyber security.
The fundamental problem is that we have an inherently vulnerable system (and getting more vulnerable all the time) protecting invaluable data. If we understand that this is the core problem, we need to address it become clear why traditional regulatory models are unequipped to address the massive cybersecurity issues we face. A more thoughtful analysis comes to the conclusion that the traditional regulatory model in use in most of the regulated industries is simply a poor fit for the dynamic cybersecurity problem. There are several basic reasons why.
To begin with, traditional compliance is essentially a backward-looking pass-fail issue.
Cybersecurity, on the other hand is a forward, looking risk management issue. In a compliance model you typically have to check off boxes indicating what you have done. You have either filed the forms or not. You are on time or not. You have fulfilled the requirement or not. You can check the box or not. You are in compliance, or you are out of compliance. Pass-fail.
Cybersecurity is not pass fail. You are not secure or insecure. Security is a continuum with gradations of security. Moreover, not all entities, even within an industry sector have the same security needs or the same threats to their security. As a result, a traditional check the box compliance system is inappropriate to for the cyber security domain.
Traditional compliance is also a backward-looking system. Did you do x or did you not do it? Cybersecurity is not a backward-looking exercise. Good cyber risk management is forward looking, one of the critical steps in good cyber risk management is to anticipate what sorts of threats you are likely to be subjected to and appropriately target your, typically scarce, security resources toward those attacks.
Over the past few years, the market has actually developed far more appropriate models, such as X-Analytics and Factor analysis of Information Risk (FAIR) which are far better tailored to assessing cybersecurity practice than generic regulatory check lists. For example, Jack Jones, one of the main innovators of the FAIR model has suggested a much more useful framework for developing an organizational model for cyber risk assessment. Jones’ model has six steps:
Use the best available data to assess possible attack scenarios you face.
Focus on what scenarios are probable and cause enough loss to matter.
Calculate best, worst, and most likely cases.
Determine to what degree loss is acceptable — risk appetite.
What investment needed to mitigate loss to an acceptable level.
Use advanced modeling (e.g., Monte Carlo simulations) to determine most appropriate spend to address the unique cyber risk for your organization.
The goal of these tailored and empirical models like X-Analytics or FAIR is to get cyber spending not toward meeting a minimum prescribed practice but instead to achieve organizational effectiveness in combating unique cyber risks based on best available data. If government is going to mandate anything this sort of process, rather than a set of operational requirements would be far more appropriate and effective.
The traditional companies model fails on these criteria. For example, in today’s compliance world, you can be compliant and not operationally effective. For example, every security compliance standard says an organization needs to have anti-virus on the endpoint. However, there is no differentiation in the operational effectiveness of that solution. An organization can deploy the cheapest, most simple rule-based antivirus solution and get the “check” for having met the requirement. However, for those that deploy a more sophisticated (and expensive) “anti-malware, behavior-based” solution…. they get no additional credit. So, if compliance is the only goal, it can be met without gaining the necessary operational effectiveness needed in today’s cyber threat environment.
In addition, the measurement systems that are the basis of most regulatory models is similarly inappropriate. In his excellent book, How to Measure Anything in Cyber Risk, Douglas Hubbard provides an extensive review of the statistical literature on the ordinal scales that are the standard measurement technique for much of the existing cybersecurity regulation and determined that “There is not a single study indicating that the use of such methods actually helps reduce risk.” Given the inappropriateness of the core regulatory model with respect to the cyber problem and the lack of empirical evidence that it works it would be a huge mistake to expand the model. This is especially true when we realize, s we will discuss next, that the current regulatory system actually is harmful to our security interests. Instead, as we will propose shortly, an alternative model for promoting cybersecurity including for regulated entities ought to be put in place.