top of page
Phil Venables

Regulatory Harmonization - Let’s Get Real 

Every few months some association or other learned group of professionals makes a fresh call to action for cybersecurity regulatory harmonization. The logic being that cybersecurity professionals are spending more time showing adherence to compliance obligations or dealing with the toil due to differences in regulation than they are actually mitigating risk.


I do have some sympathy with this sentiment but I would push back on this being as big a problem as people generally assert. However, as we shall see there are different, even bigger, problems often conflated with this - and it is important to address those rather than only focus on the relatively minor issues. In other words - when we say cybersecurity regulatory harmonization is a problem we’re actually referring to even bigger issues but in not expressing those we might only ever solve the smaller, pretty inconsequential, problem. 


So, let’s look at what we might really mean by regulatory harmonization and then look at how the burdens of compliance can be reduced. 


What is Regulatory Harmonization?

In discussions about cyber regulatory harmonization I find that people tend to overload what they mean by cyber. Yes, there is a need for some degree of purely cyber regulatory harmonization but in reality a lot of those controls are actually quite closely aligned. 


Instead, the actual biggest problems cited are related to other regulatory themes and objectives that are not in harmony with cyber, specifically:


  • Other Data / Technology Risks. Other adjacent risk topics can drive immense workload for security teams or are sometimes in conflict with security goals. Many privacy, data localization, resilience, access, quality assurance or safety certifications, to name just a few, when not thoughtfully constructed to be aligned to cybersecurity goals (or at least not directly positioned against them) can drive work and in some cases risks. This is not to say that those adjacent goals are any less important than cyber goals. For example, privacy is vital, but poorly conceived privacy rules can be detrimental to cyber - even though they needn’t be. In many cases, when rules are specified carefully, privacy and security can be mutually supportive.


  • Other Risks Entirely. The unintended consequences of other risk mitigation. This is where other laws and regulation, again well-intentioned, have unintended effects on cyber. This could be regulation that induces concentration risks, market adjustments, disclosure of data, distortion of supply chains and so on. 


  • Evidentiary Burdens. Controls may be sufficiently similar and so, in principle, one could measure once and certify many times across different regulations or certification schemes. However, the evidentiary requirements may be sufficiently different making optimization of compliance harder. The burden here falls on the smaller organizations who don’t have the economy of scale to have a sufficiently resourced and skilled compliance team to drive the consolidation of reporting. 


  • Dislike of New Security Baselines. Sometimes some organizations cite lack of regulatory harmonization as an issue when they’re actually pushing back on some new expected level of security which, incidentally, creates a temporary disharmony (since all regimes can’t realistically be up-leveled at the same time) e.g. one regulator says we should have a new (better) control that will incur some expense - organizations don’t push back on the idea (since it wouldn’t play well to do so) but instead concoct a regulatory harmonization push back to try to achieve that effect. 


So what should a call to action be:


  • Get to the right root cause. Be brutally honest when coming up with examples of the need for harmonization to show whether it is an actual need for cyber regulatory harmonization or one of the other issues like other regulation impacting cyber or driving inefficient reporting burdens. 


  • Ease reporting burdens. If the actual issue is not so much a control harmonization problem but more so a problem of duplicative reporting burdens related to incident reporting, vulnerability or other risk disclosure then say so - and collectively push for reusability and alignment in formats of disclosure for certain types of issue. 


  • Educate regulators. Partner with and educate regulators, broadly, on the need to address this. For example, having cyber impact considerations in all regulation and looking at adjacent risk mitigation. 


  • Forget total unification. Don’t focus on the unrealistic total unification of disparate standards. Instead, make the goal to promote, among regulators or associated certification schemes the re-use or other certifications and the acceptance of slightly more generic control evidence so that “measure once and certify many” can be a new basis of conformance. 


Efficiently Managing Compliance 

We do need to keep driving harmonization (or at least the reduction of the worst types of disharmony). Perhaps more importantly, we also need to look at the reality of how to be more efficiently compliant. Even in a world of more significant harmonization there will still be multiple compliance regimes to adhere to, often because there will be security elements of non-security regulations that cannot ever be harmonized. 


It’s going to be hard to do this if we keep sticking to the still commonly expressed thought that compliance is not security”. This statement isn’t actually true. Much of what you might consider a compliance approach can actually foster good security - it is just not enough in all cases. In other words, compliance is a necessary but not sufficient condition. Even inside your own organization you probably run a compliance regime of policies, standards, and controls assurance. Just because those policies and standards don't cover all possible risk circumstances for all time doesn't mean you don't get substantial protection from assuring that baseline. But for now, let's focus on externally created compliance regimes.


First, let’s define compliance as some scheme or rule set to assure a system of governance, risk mitigation and controls that you are operating in evidenced conformance to. This rule set can come from a published specification set by some legislative, regulatory or self-regulatory organization. 


There may be aspects of that rule set that correspond to good risk mitigation but maybe some that do not, there may even be some that actively work against good risk mitigation.



In any industry, where there can be material impact from incidents, regulations to protect customers are vital. Writing good regulation is hard, especially when you have to balance standards that can be measured (but can be out-dated quickly) vs. principles to follow (that can create ambiguity). There are many great professionals in regulatory bodies who perform their role in a spirit of public service but, because they are not immersed in the day to day operations of organizations, are challenged to stay precisely up to date. Also, the necessary comment periods for regulatory changes preclude rapid adjustment. 


We need to keep working to make regulation more closely correspond to risk - to drive the circles closer together. However, given the constantly changing nature of risk, the best we can often hope for is regulation to be constantly chasing this - getting closer but never fully overlapping. Somewhat cynically, it might even be a victory to just have them not get further apart given the dynamics of many rule-setting environments. 


Now, this can be even more problematic as many organizations have to deal with multiple domestic and international legislative and regulatory codes. That can look something like this:

Compliance regimes for various aspects of security are not only necessary but are actually important (for example: PCI is often criticized as not setting a standard to assure mitigation of all risks, but it is hard to argue that PCI standards have not in any way improved the protection of cardholder information across a range of sectors). Given such regimes will be ever present it is on all of us to improve what constitutes compliance and how it can be efficiently enforced. In doing so we can preserve sufficient resources to mitigate the other risks we should be concerned about, not just those stipulated in compliance rules. There are 7 focus areas to do this:


1.Efficiency and Compliance by Design

Adopt compliance rules as a key part of continuous control monitoring and baseline configurations - compliance by design. This is especially important for topics like privacy where there might be multiple regimes. Adopting a universal baseline for your organization that can be efficiently enforced, but which maps to those specific laws and regulations (for the most part) will be important. Efficient and effective compliance can be a competitive differentiator in most industries, not just to avoid issues but to exert less overall cost and effort on maintaining adherence. 


2. Partnership

Partner with regulators or rule-setters to make the rules better. Regulators are usually well intentioned and professional people who are trying to make what they define as close as possible to the risks which need mitigating. For most rule-setting schemes there are processes to request changes, improve new versions and coordinate public comment on new rules. Don’t be a Prima Donna - work with the process.


3. Seek Opportunity

Make compliance monitoring and conformance a living process and look at areas of non-compliance as a symptom of a deeper problem. This could be a failure of compliance by design manifested as an efficiency issue. A signal given off by some specific lack of compliance could also point, indirectly, to an issue that represents other risk. 


4. Necessary but not Sufficient

Do not equate compliance with being enough to mitigate your risks. Educate your Board and leadership that compliance is a minimum baseline. 


5. Drive Harmonization

Actively work with your industry peers, domestically and internationally, in each sector you operate in to harmonize rules and/or create frameworks that map across multiple regulations. A good example of this is the financial sector’s Cyber Risk Institute approach which consolidates 2,300+ regulations into 277 diagnostic statements. 


6. Take a Broad View

Look out for regulations, especially during comment periods, that might not ostensibly be about security, privacy or resilience but could in any case have significant impact on these as a second order effect. 


7. Transitive Compliance

Watch out for (this can sometimes be a positive effect) compliance expectations that confer obligations to uphold other rule-sets you might not have considered in scope. 


Bottom line: when calling for regulatory harmonization we must get specific and honest about whether the problem is actual cyber regulatory disharmony or the impact of adjacent risk regulations causing unnecessary burdens from incompatible reporting or, worse, control objectives that actively work against good security. That is the bigger problem. At the same time we can create more efficiencies in compliance, purely within the cyber domain. In doing that we can then better illustrate to our regulatory partners where the opportunities for actual harmonization are. 

1,234 views0 comments

Recent Posts

See All

Threat Hunting: Real World vs. Cyber World

It’s puzzling that there aren’t more articles comparing and contrasting wildlife hunting techniques with cyber threat hunting, or maybe...

Comments


Commenting has been turned off.
bottom of page