5th Annual Cybersecurity Conference for Executives
March 13, 2019 Baltimore, Maryland, USA
The regulatory playing field.
Dr. Phyllis Schneck, Managing Director of the Global Cyber Solutions practice at Promontory Financial Group, said that businesses need to focus on operational resilience rather than making compliance their only goal. “Compliance with regulation is not security,” Schneck said. While regulations can be a good start, they usually aren’t enough. One of the problems with regulation, she said, is that it shows the bad guys what you’re not doing, so they can invest their time and money into targeting areas that are unprotected. Attackers will always be ahead, because defenders have laws. Attackers can adapt more quickly to new information, and they’re generally more open to sharing information with other attackers.
Operational resilience is the only way to address this problem. Companies need to have their recovery strategies set up in advance. She stresses that rehearsal is a necessary component of resilience. Companies need to ask themselves what they would do “if all the lights went out tomorrow,” so that they’re not dealing with that question when the lights actually do go out.
Schneck adds that we may have placed too much of an emphasis on regulating personally identifiable information (PII), while other important data have gone ignored. PII is widely regulated, but there is a wealth of other types of data that aren’t regulated, and which, when aggregated, can amount to PII. Information such as location data and buying habits can be just as valuable to an attacker as it is to the companies that collect the data.
Companies should tell consumers which data they’re collecting and what they’re using it for, Schneck believes. As an example, she says that IoT devices should list what they consist of and what type of information they’re capable of collecting. This would be akin to ingredient or prescription labels on food or medicine, so consumers know exactly what they’re buying.
Schneck isn’t advocating for regulation, per se. Instead, she’s pushing for information to come out. If a technology company refuses to reveal how many microphones or cameras are in a device, consumers will want to know why.