CSO Perspectives (Pro) 10.18.21
Ep 59 | 10.18.21

Security compliance and cybersecurity first principles.


Rick Howard: Hey, everybody.


Vincent Martella: (As Phineas Flynn) Hey, everyone. (Singing) We're back. 

Unidentified Actors: (As characters, singing) We're back. 

Vincent Martella: (As Phineas Flynn, singing) In our own backyard. We're going to make the most of every day. 

Rick Howard: Welcome back. We're broadcasting from the CyberWire secret sanctum sanctorum studios located underwater somewhere along the Patapsco River near Baltimore harbor. This is the kickoff for Season 7, and I'm so glad that it's finally here. We get to dissect some great issues this season through the light of first-principle thinking, and we'll be checking in with our subject matter experts at the CyberWire's Hash Table to get their thoughts and experiences. 

Rick Howard: On today's show, we're going to talk about cybersecurity compliance. And before you start, I can hear you all groaning already, even at the depths of Baltimore harbor - compliance, boring. But hear me out. There are some 50-plus compliance laws that we've all heard about on the books internationally and at the U.S. federal level and within each U.S. state. And that doesn't even include most of the compliance laws that we haven't heard about within all of the 195 sovereign countries that exist in the world. 

Rick Howard: This show isn't about whether or not respecting those cybersecurity compliance laws will make you more secure. It's more about whether or not the potential fines from any of those laws represent a material threat to the business and such becomes an essential first-principle strategy right alongside zero trust, intrusion kill chain prevention, resilience and risk forecasting. Let's find out. 

Rick Howard: My name is Rick Howard. You're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: At some point in my professional career, the main thing I did in order to do my job was travel. It wasn't bad - out on Monday and home by Friday, usually. These weren't marathon travel adventures where I was gone from home for weeks at a time. They were more like little travel sprints. I could go and come back before my wife and kids even realized I was gone. And at my age and associated nerd athletic ability, I kind of like the idea that anybody would consider me sprinting anywhere. 

Rick Howard: But two or three times a year, I did travel overseas. And once when I was still a newbie at this corporate travel thing, I was supposed to travel to Sao Paulo, Brazil, to keynote a security conference. The night before my trip, I confirmed my flight, hotel, my rental car, and I triple-checked that I had my passport handy. And when I arrived at the airport the next morning, the airline clerk asked to see my Brazilian visa. 

Rick Howard: Now, before this, I'd had some experience traveling internationally, but nobody had ever asked me about a visa. I responded to the clerk with, my Brazilian what-what? And apparently the only way to get a Brazilian visa at the time was to wander down to the Brazilian Embassy in Washington, D.C., stand in line for a few hours and pay a fee. Because that was impossible to do before the scheduled flight and because I couldn't comply with the Brazilian travel law, I had to cancel my trip and my keynote address. And come to think of it, I'd never been invited back. Maybe there's a correlation there. 

Rick Howard: But that's when I learned that compliance law was much bigger than cybersecurity, much larger than government entities simply passing laws like the European Parliament's General Data Protection Regulation, or GDPR, to correct bad cyber behavior. 

Rick Howard: The idea of compliance can be used by many kinds of organizations. Vendor groups like the Payment Card Industry Security Standards Council can develop compliance regimes to avoid government regulation. 

Rick Howard: Compliance can be used by neutral third-party standards developers like the International Organization for Standardization, or ISO, as a revenue-generating business model. The ISO charges for their standards products. 

Rick Howard: Or it can be used by government entities establishing a baseline for their own internal IT infrastructure, like the United States National Institute of Standards and Technology, or NIST for short. NIST standards products have expanded out of the U.S. federal government and into the commercial sector, too, because they are free, vendor-agnostic and normally of the highest quality. 

Rick Howard: By definition, compliance is the act of conforming to a set of rules. If they come from government legislators, they manifest as laws. From vendor groups, they emerge as the price of doing business so that the entire vertical sector can thrive. From standards bodies, both governmental and nongovernmental, they represent neutral third-party agreements that other interested parties can point to. In other words, compliant organizations can say they are following generally accepted international best practices. 

Rick Howard: Amazingly, these compounding compliance laws have created an entire industry of support services to help organizations navigate the complex legal web of compliance law. Techradius (ph) is a review site for business technology that I found, and they say that these companies - Accenture, Deloitte, KPMG, Foundstone and Protiviti - are the biggest players in the compliance consulting market. And they generally offer services like compliance alerts, compliance calendars and customized compliance reporting. 

Rick Howard: Or if you're a do-it-yourselfer, there are software platforms, too, called governance risk and compliance software, or GRC. They are used mostly by traded companies to control the accessibility of data and manage those IT operations that are subject to regulation. 

Rick Howard: Again, according to TrustRadius, quote, "some financial and publicly traded companies are required by federal statute to complete elements of enterprise risk management, or ERM. In addition, a company's ERM score will impact their S&P credit rating," end quote. 

Rick Howard: GRC platforms offer compliance services like automated compliance management and audits and inspection management, and they focus on two business goals - loss of data and workloads and ensuring regulatory compliance. According to TrustRadius, these GRC tools usually claim to do both, but in truth, they usually specialize in one or the other. So buyer beware here. Make sure that you're getting the tool you need and not the tool the vendor needs to sell. 

Rick Howard: According to Nick Inman at Kroll Consulting, about a third of his clients forecast that they will spend greater than 5% of the company's revenue to satisfy compliance requirements. Think of that - 5%. We're going to come back to that in a second. 


Rick Howard: The impact of compliance rules on the day-to-day security practitioner usually falls into two categories. The first category is something I like to call a ticket to ride. 


The Beatles: (Singing) A ticket to ride. She's got a ticket to ride. She's got a ticket to ride, but she don't care. 

Rick Howard: For example, in order to sell cloud services to the U.S. government, vendors have to demonstrate that they meet a set of minimum requirements in their security configuration established by the Federal Risk and Authorization Management Program, or FedRAMP for short. Building and maintaining a security program that complies with FedRAMP standards and demonstrating that you have achieved that minimum bar becomes an essential task to doing business with the U.S. government. 

Rick Howard: But that's not the only ticket-to-ride example. Business leaders might also insist that their third-party contractors and supply-chain vendors meet some vendor-neutral standards, like the ISO 27000 standards family, before they approve any contracts. In both cases, compliance with those standards is your ticket to do business. 

Rick Howard: The second category of compliance rules that impact the day-to-day security practitioner is the potential range of fines and other penalties your organization might have to pay for cybersecurity noncompliance. For example, Google paid $170 million fine in 2019 for failure to comply with the U.S. Children's Online Privacy Protection Act, or COPPA for short. The European Parliament fined Amazon this year, 2021, an $877 million fine for failure to comply with GDPR, the largest GDPR fine to date. The U.S. Office of Civil Rights fined Anthem $16 million for HIPAA noncompliance. HIPAA stands for the Health Insurance Portability and Accountability Act. 

Rick Howard: To be clear, I'm not talking about other fines levied against companies for noncompliance in areas unrelated to cybersecurity. Those numbers are astronomical comparably and most often hit financial institutions. For example, the 2020 Finbold Bank Fines report listed the Goldman Sachs settlement of almost $4 billion - that's billion with a very large capital B - to the Malaysian government for money laundering and fraud as the most expensive penalty of that year. But that wasn't even an isolated incident. There were 12 such fines levied against U.S. organizations alone for a total of almost $11 billion. To fill out the top 20 country totals, fines ranged from almost $1 billion to $600 million. That's a lot of cheddar. 

Rick Howard: So I'm not talking about those kinds of fraud noncompliance. I'm interested in cybersecurity compliance. In terms of first principles, what's the probability that a failure-to-comply penalty will be material to the business in the next three years? And if the senior leadership thinks that probability is too high, what's the cost to reduce it? 

Rick Howard: Now, admittedly, this is a weak spot for me. I don't know much about this corner of cybersecurity. And you can bet that I'll be asking our Hash Table guest about this in next week's show. But if we use the Kroll Consulting estimate that many organizations will spend the equivalent of 5% of their revenue on compliance programs, that spend seems way too high to me, compared to the actual risk. 

Rick Howard: Let's look at the math. According to the website Macrotrends, Amazon's annual revenue for the quarter ending June 30, 2021, was $113 billion, again with that capital-B word. Five percent of that is 5.65 billion. Now, according to Kroll, Amazon could've spent that $5.65 billion to avoid a GDPR fine of only $877 million. That's million with a small-case M. 

Rick Howard: The same is true for Google. According to the Statista website, as of 2020, Google's annual revenue was roughly $182 billion. Google could've spent 5% of that - roughly $9 billion, big B - to avoid $170 million COPPA fine, small M. 

Rick Howard: And rounding off the list, the annual revenue of Accenture for the quarter ending August 31, 2021, was $13 billion, big B. Using the Kroll estimate, they could've spent over $600 million to avoid a $16 million HIPAA fine, small M. 

Rick Howard: In all three cases, that seems excessive to me. Certainly, I'm no math whiz, but even I can add those numbers. 

Rick Howard: I know. I'm cherry-picking here, taking three of the largest and most successful companies on the planet, who could pay these fines with the money they find in between their couch cushions in the employee spa center. I get it. But I'm just trying to do some back-of-the-envelope calculations to see if I can wrap my head around this problem of compliance. 

Rick Howard: At first glance, though, it doesn't seem to me that spending on compliance consulting services or GRC platforms is worth the investment, at least for small and medium-sized businesses. The exceptions, of course, are businesses working in the finance and health care sectors. The regulators in those industries are not fooling around in terms of fines. 

Rick Howard: Your mileage may vary, though, so take a close look. For big Fortune 500 companies like Google and Amazon, they may be too big to worry about this kind of thing. I'm not saying that the fines won't hurt them. The Amazon $877 million fine is nothing to sneeze at. But the potential compliance budget might be better spent on improving basic first-principle strategy deployment with a nod toward showing regulators and auditors that their program meets the essence, if not the letter of the regulation. 

Rick Howard: That leaves us with the in-between companies, bigger than a medium-sized company but smaller than the Fortune 500 company. Consulting services and GRC platforms might be just the thing for them. I just don't have enough data to determine it one way or the other. 

Rick Howard: Now, in researching this show, I created a spreadsheet of the 50-plus cybersecurity laws and standards that most people have heard of. You can download it from the show page on the CyberWire website. It tracks things like the name of the law, the associated acronym, the stated purpose for the law, things security executives should consider if they want to comply, potential fines and penalties and awarded fines and penalties. Now, it's not complete by any means, but if you're tracking compliance, it might be a good place to start. And much of the data came from an excellent series of essays written by Josh Fruhlinger over at CSO Online. 

Rick Howard: One thing to note - the spreadsheet doesn't include data breach laws. There are many websites that track that particular niche. For this show, the one that I like came from the website Embroker - that's Embroker. 

Rick Howard: Another website from DLA Piper built a comprehensive information source that explains the current state of GDPR-like laws internationally and for each U.S. state. It's highly detailed and well done. 

Rick Howard: And finally, if you want to have your world rocked concerning the corruption and fraud of the financial institutions at the highest level, check out the Finbold Bank Fines report. The money stolen and the fines levied are jaw-dropping. 

Rick Howard: And that's a wrap. Next week, I'll be talking to the CyberWire's Hash Table experts to see if they can provide some clarity to this compliance question and to the idea that compliance programs might be part of our first-principle strategy not because they provide more security - they might - but more importantly because of the potential fines that may result for noncompliance. You don't want to miss that. 

Rick Howard: And as always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Also, we're looking for feedback. If you have any thoughts about this show, "CSO Perspectives," drop a line to csop@thecyberwire.com. That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.