Navigating cybersecurity compliance challenges is more than just checking boxes

Compliance is becoming a key component of cybersecurity but it is a challenging feat to navigate the complex regulations and standards across different countries and industries. In this video, Steve Winterfeld, Advisory CISO at Akamai, talks about the challenges organizations are facing and the developments that are occurring in this space. He says, “The goal should be to have a security program that as a byproduct is compliant, not a program that is compliant.”

Compliance challenges in cybersecurity

Winterfeld emphasizes the importance of compliance in cybersecurity, highlighting the complexity of managing multiple regulations and standards across different U.S. states, countries, and industries.
Winterfeld explains compliance is much more than just checking boxes. It is a continuous process of implementing best practices and standards to protect sensitive data.
Compliant companies suffer breaches so the goal should be to be secure with compliance as a byproduct rather than just having a compliant program since that does not necessarily guarantee security.
Winterfeld discusses the available resources for navigating security best practices and compliance, such as the NIST Cybersecurity Framework and OWASP Top 10. However, there needs to be a combination of best practice frameworks as well as the checklists for the regulation.

Cybersecurity compliance and risk management

Not being compliant can have serious consequences from fines and corrective measures so it is crucial to ensure the rest of the business can operate the way it should and to do right by the customer by practicing due diligence.
Cybersecurity is now a board-level issue with discussions being prompted by the SEC’s new regulations containing requirements on disclosure if something has a material impact.

Cybersecurity framework evolution and government initiatives

While NIST’s cybersecurity framework used to focus on identifying and mitigating threats, NIST 2.0 adds a new governance function that emphasizes risk management and supply chain security.
Winterfeld tells us he is seeing a lot of collaboration between governments and organizations and information sharing to address cybersecurity threats.
Since NIST is a US International Organization for Standardization
(ISO), US companies that have a more international base will likely also consider the dominant European equivalent.
Winterfeld explains that data security is a key consideration for US companies who have European customers and it is important to know where the data resides, who is using it, and what rules the data is protected by for European citizens.
EU regulation DORA (Digital Operational Resilience Act) is coming out and Winterfeld believes that it is likely a similar law will be implemented by a U.S. state like California, Texas, or Florida.

AI regulations and standards for businesses

Winterfeld highlights the importance of AI safety, transparency, traceability, non-discrimination, and environmental friendliness in developing and deploying AI systems so that they are auditable.
While regulations can help users stay safe, allowing developers to innovate within certain guardrails, Winterfeld believes that there is an added complexity that developers can be working across different industries and business models which attract different standards.
The new version of PCI DSS 4.0 focuses on changing the risk approach, acknowledging that one checklist does not fit all the different business models. However, there can be a time lag in implementing these regulations.

Compliance regulations and their impact on CISOs

Although GDPR, PCI, and Open Banking PSD2 regulations mention APIs, Winterfeld is not aware of any that directly focus on APIs.
Winterfeld discusses how compliance requirements for ransomware payments vary by jurisdiction, with some states banning government entities from paying ransomware demands.
Notifications are becoming the broadest set of compliance requirements but as in the BlackCat incident, companies can find themselves hit by a double whammy if they fail to notify the entity that they are regulated by in time.
Winterfeld highlights the changing landscape of CISO liability, with increased awareness of individual exposure and the need for insurance coverage.

Guest: Steve Winterfeld (LinkedIn)
Company: Akamai (Twitter)
Show: Let’s Talk

This summary was written by Emily Nicholls.

You may also like

Apiiro wants to be the Diamond Standard for Application Security Posture Management

Akamai further fortifies its API Security with latest PCI DSS Compliance

If Iron Man has Jarvis, Transposit has Tanya

Bringing vCluster to Rancher is healthy competition: Lukas Gentele

How to choose best observability practices: Julian Fischer

Rootly’s AI-powered On-Call simplifies incident management