Security pros know that compliance does not equal security, yet compliance continues to be a top driver for security investment.
Given that compliance and audit mandates are more tangible measures for non-security executives, requesting support for tools and processes that help meet these requirements is an excellent lever to pull when the need arises. If compliance helps improve security and data breach prevention in any way—albeit what’s considered the “lowest bar” by many security practitioners—so much the better. Compliance might not be the best or even right way to practice security by security’s definition, but it is inching things along. Just not well or quickly enough.
Despite the 25,000 plus new cybersecurity regulations that have cropped up in the last decade, data breaches keep happening. With every week comes a new report of a different company that lost millions of customer records, and in every one of those breaches a failure to prevent the breach or limit the damage from a network compromise can be traced back to lack of security fundamentals. Clearly, compliance isn’t enough motivation for data breach prevention. Even the fines and cleanup costs of a breach haven’t been enough: It’s a business risk. And risks sometimes incur costs. A potential data breach is simply the cost of doing business today, or so the justifications go, right or wrong.
New GDPR Fines Change the Game
In the last few weeks, though, table stakes have grown higher. The Information Commissioner’s Office (ICO), Britain’s top watchdog and privacy enforcement authority, has levied huge fines against British Airways for a 2018 breach of 500,000 customer records and Marriott for a 2018 breach of 383 million guest records—both for violating terms of the General Data Protection Regulation (GDPR) which went into effect in May 2018. Respectively, the £183 million and £99 million fines (~$228 million and $124 million in U.S. dollars), are the largest on record, dwarfing previous assessments for non-compliance with data protection and privacy regulations.
The ability to not only promote the security of sensitive data, but be able to demonstrate that your company’s systems are constantly free from malware, unauthorized access, and other threats that lead to breach is a competitive advantage, and the business can use that demonstrable proof to win business, expand partnerships, and generally grow revenues.
For some perspective, the maximum fine under the 1998 Data Protection Act was £500,000 ($607,000), which was imposed on Equifax and Facebook. Clearly the recent fines are meant to up the ante and cause greater financial repercussions to companies that jeopardize their customers’ data. At the end of the day, though, will the costs become “just another cost of doing business?” Will businesses resort to building bigger buffers, either through increased costs that are passed along to the consumer or fatter insurance policies?
Cybersecurity regulations—the thousands upon thousands of them—are meant to pressure companies into better cybersecurity practices. That hasn’t worked as well as it should, since most security pros view compliance as the absolute minimum. And despite the new rules, security fundamentals continue to fall to the wayside. Many companies still don’t truly know the extent or entirety of assets communicating on their networks; sensitive data and systems are allowed to connect freely across flat, unsegmented networks; and administrative accounts continue to be run with excess privileges. While compliance isn’t getting the job done when it comes to data breach prevention, maybe outrageous fines from governing bodies might be a bit more of a deterrent. Only time will tell.
But it seems unlikely.
The threat of a breach isn’t affecting the desired effects when it comes to companies adopting stronger cybersecurity tools or processes. Fear, uncertainty, and doubt are time-tested human motivators, but money talks. Until now, the conversation hasn’t been big enough to drive radical change in data protection strategies. And while GDPR will likely put a larger dent in organizations’ financial ledgers, the promise of more business and more revenue has a higher probability of attracting the attention of boards of directors and business executives than the threat of the unknown, a.k.a. nameless, faceless cyber criminals.
The Benefits of Security and Privacy Protection
Organizations that want to accomplish the (seemingly) impossible goal of shoring up the security basics and preventing the breach of sensitive applications and databases which contain customer and company-proprietary data need to take a new tack. Instead of looking at cybersecurity as a cost center (saying, for example, “We need X amount of money and support to buy new tools and implement new processes that result in no cyber criminal activity and no negative audit findings”), perhaps it’s time to do something radically different: promote the privacy and security of your customer, partner, and company data as a competitive advantage.
Awareness of data breaches is at an all-time high, meaning that anyone who does business with your business—be they consumers, suppliers, or partners—understands the importance of keeping private data private. Enforcement of privacy requires strict security control. The ability to not only promote the security of sensitive data, but be able to demonstrate that your company’s systems are constantly free from malware, unauthorized access, and other threats that lead to breach is a competitive advantage, and the business can use that demonstrable proof to win business, expand partnerships, and generally grow revenues.
For too many years, compliance has driven security objectives, like it or not. Mapping controls to a framework or audit report is a good first step, but we have yet to see the proof that doing so prevents breaches. Changing how you think about or position data breach prevention won’t change the requirement to practice better security, but doing so changes the game from a zero sum outcome to one that focuses on improvement and enhancement.
It’s time to start looking at security as a business driver instead of a black hole. And when the business can continuously demonstrate that it has implemented and is managing the controls that keep systems free from malware, prevent unauthorized access, and limit the “blast radius” of a network compromise to avert a full-scale data breach, it not only avoids budget-busting fines and media smears, but gives consumers a reason to trust—and invest in—the company’s commitment to data privacy. 
Katherine Teitler is a cybersecurity speaker and writer based in Medford, Mass.