First Principle Series: Compliance?
At some point in my professional career, the main thing I did in order to do my job was travel. It wasn’t onerous: out on Monday and home by Friday (usually). Two or three times a year, though, I did travel overseas. Once, when I was still a newbie at this corporate travel thing, I was supposed to travel to São Paulo, Brazil, to keynote a security conference. The night before my scheduled departure, I confirmed my flight arrangements, hotel, and rental car, and I triple-checked that I had my passport handy. When I arrived at the airport the next morning, the airline clerk asked to see my Brazilian visa. I had some experience traveling internationally but nobody had ever asked me about a visa before. Blanky, I responded with “My Brazilian what what?” And apparently, the only way to get a Brazilian visa at the time was to wander down to the Brazilian Embassy in Washington DC, stand in line for a few hours, and pay a fee.
Security compliance is bigger than laws
That’s when I learned that compliance was much bigger than government entities simply passing laws like the The European Parliament’s General Data Protection Regulation (GDPR) to correct bad cyber behaviour. The idea of compliance can be used by many kinds of organizations. Vendor groups like the Payment Card Industry Security Standards Council can develop compliance regimes to avoid government regulation. Compliance can be used by neutral third-party standards developers like the International Organization for Standardization (ISO) as a revenue-generating business model. (The ISO charges for their standards products.) Or it can be used by government entities establishing a baseline for their own internal IT infrastructure, like the United States’ National Institute of Standards and Technology (NIST). NIST standards products have expanded out of the U.S. federal government and into the commercial sector too because they are free, vendor agnostic, and normally of the highest quality.
By definition, compliance is the act of conforming to a set of rules. If they come from government legislators, they manifest as laws. From vendor groups, they emerge as the price of doing business so that an entire vertical sector can thrive. From standards bodies, both governmental and non-governmental, they represent neutral third-party agreements that other interested parties can point to. In other words, compliant organizations can say they are following generally accepted international best practices.
An entire industry provides services to organizations that need help navigating the complex legal web of compliance law. TrustRadius, a review site for business technology, says that these companies are the biggest players in that market:
- Accenture Compliance Consulting
- Deloitte Compliance Consulting
- KPMG Compliance Consulting
- Foundstone Services
- Protiviti Compliance Consulting
They generally offer services like:
- Compliance alerts
- Compliance calendars
- Customized compliance reports
There are software platforms too, called Governance, Risk & Compliance software (GRC), that are used by publicly traded companies to control the accessibility of data and manage those IT operations that are subject to regulation. According to TrustRadius, “Some financial and publicly traded companies are required by federal statute to complete elements of enterprise risk management (ERM). In addition, a company’s ERM score will impact their S&P credit rating.”
GRC platforms offer compliance services like:
- Automated compliance management
- Audits and inspection management
They focus on two business goals: loss of data and workloads and ensuring regulatory compliance. According to TrustRadius, “Most GRC tools can serve both goals, but they may be more specialized in one area over the other.” According to Nick Inman at Kroll Consulting, about a third of his clients forecast that they will spend greater than 5% of revenue to satisfy compliance requirements.
The first compliance category - ticket to do business
The impact of compliance rules on the day-to-day security practitioner usually falls into two categories. The first category is a ticket to proceed. For example, in order to sell cloud services to the U.S. government, vendors have to demonstrate that they meet a set of minimum requirements in their security configuration established by the Federal Risk and Authorization Management Program (FEDRAMP). Building and maintaining a security program that complies with FEDRAMP standards and demonstrating that you have achieved that minimum bar becomes an essential task to doing business with the U.S. government. Also, business leaders might insist that their contractors and supply chain vendors meet the ISO 27000 standards before contracts can be approved. In both cases, compliance with those standards is your ticket to do business.
The second compliance category - penalties and fines
The second category is the potential range of fines and other penalties your organization might have to pay for cybersecurity non-compliance. For example, Google paid a $170 million fine in 2019 for failure to comply with the Children's Online Privacy Protection Act (COPPA). The European Parliament fined Amazon this year (that is, 2021) $877 million for failure to comply with GDPR, the largest GDPR fine to date. The U.S. Office of Civil Rights fined Anthem $16 Million for Health Insurance Portability and Accountability Act (HIPAA) non-compliance.
To be clear, I'm not talking about fines levied against companies for non-compliance in areas unrelated to cybersecurity. Those numbers are astronomical and most often hit financial institutions. For example, the 2020 Finbold Bank Fines Report listed the Goldman Sachs settlement of $3.9 billion to the Malaysian Government for money laundering and fraud as the most expensive penalty of that year. But that wasn’t an isolated event. There were 12 such fines levied against U.S. organizations alone for a total of $10.9 billion. To fill out the top 20 country totals, fines range from $959 million to $.62 million.
I'm not talking about those kinds of fraud non-compliance. I'm interested in cybersecurity compliance. In terms of first principles, what’s the probability that a failure-to-comply penalty will be material to the business in the next three years. And, if the senior leadership thinks that probability is too high, what’s the cost to reduce it?
Admittedly, this is a weak spot for me. I don't know much about this corner of cybersecurity. But, if we use the Kroll Consulting estimate that many organizations will spend the equivalent of 5% of their revenue on compliance programs, that spend seems high compared to the actual risk.
According to the website MacroTrends, Amazon’s annual revenue for the quarter ending June 30, 2021 was $113 Billion. Five percent of that is $5.65 Billion. According to Kroll, Amazon could have spent $5.65 Billion to avoid a GDPR fine of only $877 million. The same is true for Google. According to the Statista website, as of 2020, Google's annual revenue amounted to $182 billion. Google could have spent five percent of that ($9 billion) to avoid a $170 million COPPA fine. The annual revenue of Accenture for the quarter ending August 31, 2021 was $13 Billion. They could have spent $650 Million to avoid a $16 million HIPAA fine.
In all three cases, that seems excessive. Certainly I'm no math wiz, but even I can add up those numbers.
Is compliance a first principle strategy?
I know that I'm cherry picking here; taking three of the largest and most successful companies on the planet who could pay these fines with the money they find in between their couch cushions in the employee spa center. I get it. But I'm just trying to do some back of the envelope calculations to see if I can wrap my head around this problem of compliance.
At first glance though, it doesn’t seem to me that spending on compliance consulting services or GRC platforms is worth the investment, at least for small and medium sized businesses. The exceptions of course are businesses working in the finance and healthcare sectors. The regulators in those industries are not fooling around in terms of fines. Your mileage may vary though, so take a close look.
For big Fortune 500 companies, like Google and Amazon, they may be too big to worry about this kind of thing. I'm not saying that the fines won't hurt them, but the potential compliance budget might be better spent on improving basic first principle strategy deployment with a nod towards showing regulators and auditors that their program meets the essence, if not the letter, of the regulation.
That leaves us with the in-between companies, bigger than a medium sized company but smaller than a Fortune 500 company. Consulting services and GRC platforms might be just the thing for them. I just don’t have enough data to determine it one way or the other.
Sources and methods
In researching this essay, I created a spreadsheet of the 50+ cybersecurity laws and standards that most people have heard of. It tracks these things:
- Entity Responsible
- Purpose Intended for
- CISO Points
- Instigating Event
- Administered by
- Potential Fines & Penalties
- Awarded Fines & Penalties
If you’d like a copy, email us at CSOP@thecyberwire.com.
It’s not complete by any means, but if you are tracking compliance, it might be a good place to start. Much of the data came from an excellent series of essays written by Josh Fruhlinger over at CSO Online.
The spreadsheet doesn’t include data breach laws. There are many websites that track that particular niche. For this essay, the one that I liked came from the website Embroker.
DLAPiper has built a comprehensive website that explains the current state of GDPR-like laws internationally and for each U.S. state. It is highly detailed and well done.
Finally, if you want to have your world rocked concerning the corruption and fraud of financial institutions at the highest level, check out the Finbold Bank Fines Report.
11 MAY 2020:
CSOP S1E6:: Cybersecurity First Principles
15 JUN 2020:
CSOP S1E11:: Cybersecurity first principles - risk
17 AUG 2020:
CSOP S2E5: Data loss protection: a first principle idea.
24 AUG 2020:
CSOP S2E6:: Data loss protection: around the Hash Table.
- Hash Table Guests:
- Tom Quinn - CISO - T. Rowe Price Associates
- Nikk Gilbert - CISO - Cherokee Nation Businesses
- Dawn Cappelli - VP of Global Security and CISO for Rockwell Automation
- Gary McAlum - CSO- USAA
- Link: Podcast
- Link: Transcript
- No Essay
19 APR 2021
CSOP S5E1: Security in different verticals: Financial and Fraud
- Hash Table Guests
- Gary McAlum, USAA’s former CSO
- Jerry Archer, Sallie Mae’s CSO
- Steve Winterfeld, Akamai’s Advisory CISO
- Link: Podcast
- Link: Transcript
- Essay: None
26 APR 2021:
CSOP S5E2: Security in different verticals: Healthcare
- Hash Table Guests
- Denise Anderson, Health-ISAC President and CEO,
- Errol Weiss, Health-ISAC CSO
- Rick Doten, Carolina Complete Health CISO
- Link: Podcast
- Link: Transcript
“5 Standardization Bodies Security Professionals Need to Know - Infosec Resources.” 2021. Infosec Resources. July 12, 2021.
“15 Actions/Penalties Brought by FTC under GLBA + FTC Act -.” 2008. July 7, 2008.
“20 Biggest GDPR Fines of 2019, 2020 & 2021 (so Far) - Updated 2021 - Tessian.” 2021. Tessian. September 6, 2021.
“Accenture Revenue 2006-2021 | ACN.” 2021. Macrotrends.net. 2021.
“Amazon Revenue 2006-2021 | AMZN.” 2021. Macrotrends.net. 2021.
Biedron, Rob. 2021. “Famous Accounting Scandals in Corporate Finance | PLANERGY Software.” PLANERGY Software. March 2021.
Corporate Compliance Insights. 2020. “Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19.” Corporate Compliance Insights. October 5, 2020.
“Corporate Conflicts / Corporate Legal Compliance Sarbanes-Oxley Analysis / Corporate Governance.” 2021. Corporateconflicts.com. 2021.
CSO staff. 2021. “Security and Privacy Laws, Regulations, and Compliance: The Complete Guide.” CSO Online. September 3, 2021.
“Data Breach Laws by State [2021 Guide] - Embroker.” 2021. Embroker. Embroker. July 22, 2021.
deloitteeditor. 2018. “Five Areas to Monitor to Mitigate Costly Compliance Risks.” WSJ. June 26, 2018.
deloitteeditor. 2018. “Six Ways to Prepare for the EU’s GDPR.” WSJ. May 3, 2018.
“Enforcement in United States - DLA Piper Global Data Protection Laws of the World.” 2020. Dlapiperdataprotection.com. 2020.
Fruhlinger, Josh. 2020. “GLBA Explained: Definition, Requirements, and Compliance.” CSO Online. December 17, 2020.
Fruhlinger, Josh. 2020. “PCI DSS Explained: Requirements, Fines, and Steps to Compliance.” CSO Online. July 17, 2020.
Fruhlinger, Josh. 2020. “The Sarbanes-Oxley Act Explained: Definition, Purpose, and Provisions.” CSO Online. November 30, 2020.
Fruhlinger, Josh. 2021. “What Is HIPAA? Definition, Compliance, and Violations.” CSO Online. January 25, 2021.
“GDPR Enforcement Tracker - List of GDPR Fines.” 2021. Enforcementtracker.com. 2021.
“Google: Annual Revenue | Statista.” 2020. Statista. Statista. 2020.
HIPAA Journal. 2018. “$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark.” HIPAA Journal. October 16, 2018.
HIPAA Journal. 2021. “The Most Common HIPAA Violations You Should Be Aware Of.” HIPAA Journal. January 10, 2021.
“How to Become FedRAMP Authorized | FedRAMP.gov.” 2021. Fedramp.gov. 2021.
“How to Create an Effective Compliance Program.” 2020. Powerdms.com. 2020.
“Information Security Compliance: Which Regulations Apply?” 2020. TCDI. December 21, 2020.
Inman, Nick. 2021. “Global Regulatory Outlook 2021.” Duff & Phelps. 2021.
Korolov, Maria. 2020. “California Consumer Privacy Act (CCPA): What You Need to Know to Be Compliant.” CSO Online. July 7, 2020.
Larson, Mark. 2020. “Security Compliance: Understanding Security & Compliance.” Linford & Company LLP. July 22, 2020.
Nadeau, Michael. 2020. “What Is the GDPR, Its Requirements and Facts?” CSO Online. June 12, 2020.
“Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards.” 2021. Pcisecuritystandards.org. 2021.
“Security Compliance | OpenSCAP Portal.” 2015. Open-Scap.org. 2015.
“SOX Section 906: Corporate Responsibility for Financial Reports.” 2021. Sarbanes-Oxley-101.com. 2021.
“The Bank Fines 2020 Report - Finbold.” 2020. Finbold.com. 2020.
TrustRadius. 2021. “Compliance Consulting.” TrustRadius. 2021.
TrustRadius. 2021. “Governance, Risk & Compliance.” TrustRadius. 2021.
Walsh, Karen. 2018. “5 Steps to Developing a Corporate Compliance Program.” Reciprocity. Reciprocity. March 20, 2018.