The need to prove network compliance is intensifying as lawmakers introduce new privacy legislation and organizations update their contractual security requirements for third-party vendors.
About the author
Matt Honea, head of security and compliance at Forward Networks, is a security expert with a background in areas including threat intelligence, networking, system forensics and discovery, enterprise security auditing, malware analysis, and physical security. He is an industry speaker, author, and frequent security podcast guest.
Matt holds a U.S.-granted patent, multiple U.S. government awards, and was selected as one of Silicon Valley Business Journal’s 40 under 40.
Determining if they’ll meet compliance standards is simple for those who know their network’s behavior, device configuration, and security posture. Unfortunately, most enterprises don’t have this information readily available and spend months manually preparing for inspection.
Continuous access to accurate inventory, real-time data collection and retrieval, and automation are crucial to detecting network issues and thwarting cyberattacks. Those elements are game changers in preparing for and proving compliance by enabling organizations to proactively monitor the network and enforce compliance in a dynamic and efficient manner.
Compliance drivers
The network is the backbone of the business; for many organizations, their digital assets are more valuable than physical assets. Increases in cybercrime, globalization, monetary risk, and maintaining certifications mean compliance must be continually assessed and documented.
As nation-state-affiliated cybercrime increases, the pressure on enterprises to continuously prove and document compliance is intensified. Another driver is globalization. As businesses and industries become increasingly globalized and targeted by bad actors, the need to standardize regulations to protect consumer information and address cross-border issues intensifies. This has led to the creation of international, country-specific, and industry-specific guidelines with which businesses must comply, such as the General Data Protection Regulation, Australian Information Security Manual, and Payment Card Industry Data Security Standard.
According to the United Nations Conference on Trade and Development, more than 150 countries have enacted cybercrime legislation. New legislation will increase the complexity of proving compliance, a process that is already time-consuming and costly.
Noncompliant organizations face serious consequences, including legal penalties, significant fines, operational disruption, loss of business opportunities, and customer trust. But arguably the biggest risk of security and privacy noncompliance is reputational damage, which can have a cascading effect that negatively impacts relationships with customers, suppliers, manufacturers, investors, employees, and other critical stakeholders long after the incident is resolved.
The costs of a data breach are rising. In recent weeks, MGM Resorts, Caesars Entertainment, and Clorox have been targeted by massive cyberattacks that have caused material damage, supply chain issues, and customer dissatisfaction.
Many organizations are turning to cyber insurance to help them mitigate financial risk but qualifying requires extensive documentation of the network. There are also limits, exclusions, and capacity towers that dynamically change as the risk changes. This means policy coverage today does not entail the same policy coverage next year.
Challenges in proving compliance
Unlike consumer data privacy, no single global oversight body exists for security compliance.
Instead, organizations such as the System and Organization Controls, the National Institute of Standards and Technology, and the International Organization for Standardization offer security standards and guidelines. Oftentimes, enterprises will adhere to the guidelines recommended by one of these organizations and then customize their compliance policies based on the requirements of their customer and third-party vendor contracts.
Regardless of what standards organizations choose, proving compliance requires an intense data collection process. This is often where organizations struggle. Data might be scattered across various systems, databases, departments, and locations within an organization. Gathering data from these disparate sources can be complex, time-consuming, and error prone.
Additionally, collecting and managing large volumes of data can be overwhelming, especially when identifying relevant data for compliance purposes. Enterprises also grapple with ensuring the accuracy, completeness, and consistency of their data. Poor data quality can lead to compliance violations, audit failure, and misinformed decision-making.
Further adding to the complexity, preparing for and proving compliance often involves handling personal data that requires extreme caution when collecting and storing. Organizations must ensure compliance with privacy mandates, which are regulated at the federal level in the United States by the Federal Trade Commission. A dozen states have enacted comprehensive data privacy legislation.
To address these and the host of additional challenges associated with proving compliance, companies need a well-defined data governance strategy that includes policies, procedures, and technologies for data collection, quality assurance, and compliance monitoring.
A modern-day approach
Organizations must adopt a proactive approach to protecting sensitive data and systems, one that provides a real-time, dynamic, and detailed view of the network’s behavior, performance, and configuration. This includes regularly assessing cybersecurity risks, implementing appropriate security measures, training employees, and staying up to date with relevant cybersecurity laws and regulations.
An organization’s assets, including servers, databases, and network devices, must be inventoried comprehensively as part of a modern compliance approach. Asset inventory is a fundamental step in understanding and managing compliance because it provides the necessary foundation for assessing and addressing various regulatory requirements, security controls, and risk management. As part of this inventory assessment, sensitive data must be identified so the location, access, and transmission are known and continually monitored.
Because modern networks and infrastructures are dynamic, organizations must also have access to real-time data collection and retrieval, including servers and networking devices such as switches, routers, and firewalls. Additionally, data needs to be collected from internet of things and nonserver devices to ensure holistic knowledge of the network. This helps organizations keep up with changes, ensuring new assets are properly configured and that compliance is maintained as the network changes. Real-time data collection also allows organizations to quicker detect and respond to compliance violations or security incidents as they occur.
In addition to real-time data collection and retrieval, automation is crucial to ensuring compliance-related processes are executed consistently and without human error. This consistency is vital for meeting regulatory requirements over time. Automation also enables compliance teams to put data into action to address vulnerabilities quickly, such as fixing routes so they have redundancy for resilience in case of a failover from a data breach or depreciating old devices without introducing risk to ensure homogenous configurations across devices.
Automation not only helps organizations prove compliance but also plays a vital role in ongoing compliance maintenance. By automating repetitive tasks, monitoring, reporting, and policy enforcement, organizations can enhance their overall compliance posture, reduce risks, and efficiently navigate the complex landscape of regulatory requirements.
