By Anne Klebsch
When it comes to compliance, it’s all too easy for businesses to fall into the trap of obeying the letter rather than the spirit of the law. Distilling regulatory requirements down to a checklist of things that must be done is a fine and well-practiced art, but it perhaps misses the point of why the legislation exists in the first place.
This is especially true in areas relating to technology and cybersecurity, where regulations are deliberately written to be forward looking and encourage best behaviors, rather than being prescriptive and rule-based.
Regulations such as the EU’s Directive on security of network and information systems (NIS Directive) don’t list in absolute terms technical configurations an organization must implement in order to be compliant, but instead use deliberately flexible language, and the interpretation of this can evolve at the same speed as the technology it seeks to regulate. Reference is made to the “state-of-the-art” technology, rather than specific technology to implement, for example.
The NIS Directive is one of many laws and directives emerging around the world that seeks to improve the overall level of cybersecurity capabilities applied, in this case specifically in the world of digital service providers and operational technology (OT), including operators of essential services such as energy, healthcare, water and financial markets.
The principle, as has been repeated by several national regulators, is not to present businesses with an impossible moving target for compliance, but rather to encourage ongoing investment in security as the right thing to do – something that is lost when compliance is the goal only for compliance’s sake.
Mistakes of Compliance Security
From a business perspective, adopting the attitude the purpose of a cybersecurity policy is to meet regulations is a mistake on three key levels.
Firstly, it’s entirely possible to be compliant but not secure – no legislation can be a full defense against the constantly evolving tools at criminals and bad actors’ disposal. Investing in good cybersecurity practices of constantly testing current systems, evaluating new technology and implementing improvements, on the other hand, goes a long way toward meeting – and often exceeding – the requirements of the regulator. Policy and practical validation go hand-in-hand and complement each other, but having the one without the other is not the way forward.
Secondly, investing in compliance without improving security can do more harm to an organizations reputation than it does good. While compliance (potentially supported by certifications) is often a requirement by the customers or stakeholders, overall investment in improving cybersecurity is seen as an additional cost for companies. Often, those investments will not show immediate results, meaning convincing management to invest in cybersecurity can be a challenge in itself.
However, if a security incident occurs and reveals a company has failed to take necessary security measures, despite claiming legislative compliance, business partners will become wary. Was the organization “cutting corners” when implementing their cybersecurity policy? If that is the attitude of the company, where else may it similarly cut corners? Supply chains are coming under closer scrutiny: Business partners are starting to request not only relevant certifications but also full cybersecurity audits and policies; this will be key to winning business in the future.
The third reason to be wary of compliance as a goal is that not every sector has strong regulations in place. This means part of an organization may be governed by cybersecurity laws, but another part may not. Focusing on compliance alone may lead to missing out on more effective security measures that can be applied company-wide. Compliance does, however, usually mean critical systems are able to quickly recover from any incident, whether that be hardware failures or other non-cybersecurity related threats.
Compliance requirements can be critical to opening a dialogue with the board about cybersecurity policy and plans. They provide a powerful argument that investments must be made. But the overall goal for any organization should be to keep risks as low as reasonably practicable for the business and its customers. That will mean implementing smart, cost-effective security measures; not completing a checklist from start to finish.
Anne Klebsch is an ICS Security Consultant at Applied Risk. As a certified Global Industrial Cyber Security Professional and Information Systems Auditor holding a MSc degree in Computer Security, Anne has over 9 years’ experience in IT and OT security from a range of major international companies. Her expertise revolves around risk management, governance and regulatory compliance.