On the list of high-priority concerns for chief information security officers (CISOs) these days, privacy is occupying an increasingly prominent position.
Privacy has always been important for businesses and other organizations handling sensitive customer and stakeholder information, but recent changes in privacy regulations are putting greater responsibility on CISOs, who are required to perform thorough risk assessments while making the results available on demand. Failure to conduct assessments or correct deficiencies can incur significant fines and, in some cases, even jail time.
CISOs need to take a proactive approach to meeting the challenge, particularly by performing rapid data security assessments to identify vulnerabilities and high-priority risks—including those involving third parties—and implement mitigations to protect data, the organization and its customers.
Vice President of Security at Neovera.
State regulators want risk assessments—now
A number of states have recently upped the ante for CISOs, requiring detailed risk assessments that must be produced upon request. State regulations that have added new requirements include the California Privacy Protection Agency (CPPA) draft regulations, Texas Data Privacy and Security Act (TDPSA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and the New York SHIELD Act.
CISOs need to be on the same page with these new regulations, even if not all of them use the same playbook. While Virginia and Colorado, for example, set clear guidelines for assessments, California’s rules are more vague, requiring assessments without offering details.
The responsibility for implementing and documenting privacy controls and policies falls primarily on the shoulders of the CISO, who must ensure that the organization’s procedures for managing information protects privacy data and meets regulatory requirements. Performing risk assessments that identify weaknesses and demonstrate that they are being addressed is a crucial step in the process, even more so now that they must be ready to produce risk assessments whenever regulatory bodies request them.
As if CISOs needed an added incentive, regulators at the state and federal levels have been trending toward targeting organization management, particularly CISOs, in the wake of costly breaches. The consequences include hefty fines for organizations and, in worst-case scenarios, even jail sentences for CISOs.
Responsibility for privacy protections also extends to third-party risks. Organizations can’t afford to rely solely on promises made by third-party providers because regulators and state attorneys generally can hold an organization responsible for a breach, even if the exploited vulnerability belonged to a provider. Organizations need to implement a framework for third-party risk management that includes performing due diligence on the security postures of third parties.
Rapid risk assessments boost both security and compliance
Teams should follow several best practices in performing rapid assessments.
Automated scanning tools can identify a range of vulnerabilities, such as weak or non-existent authentication processes, unpatched and/or outdated software and hardware, and misconfigurations in the network. An assessment of internal risks can be combined with an analysis of common external threats. Security teams can then prioritize risks based on their threat levels and establish a plan for remediation.
Penetration testing serves as another critical tool that can help security teams quickly evaluate and assess potential threats to their infrastructure. By simulating a real-world attack, it is designed to show how an organization's layered controls worked together (or did not work) to defend against a hacker. As a result, organizations have a better understanding of their security posture and vulnerabilities that may attract bad actors.
In today’s threat landscape, with the constant drumbeat of sophisticated attacks, the process needs to be done efficiently, making rapid data security assessments an essential part of any risk analysis framework. Rapid assessments enable teams to quickly identify, prioritize and remediate the greatest risks while laying plans for further remediations. It allows them to determine the appropriate steps in each case, such as whether they need to implement encryption, access controls, intrusion prevention systems, firewalls or other measures.
After remediations have been applied, teams need to test the affected system to verify that the fixes have taken hold, and then conduct broader testing to ensure that systems are functioning as expected.
As a final step, organizations should implement a well-seasoned partner in Managed Services that can watch their security environments and remediate any vulnerabilities that occur. Out of office on vacation? Cybercriminals won’t hesitate to exploit your weaknesses over Thanksgiving dinner. Maintaining a security posture requires 24/7 dedication in today’s evolving and turbulent cyber landscape, which is where managed service providers can offer support.
Performing rapid assessments on a regular basis, such as every six months, is a good practice on its own for protecting against expensive and damaging data breaches, but it is also imperative to being able to comply with increasingly stringent privacy regulations. Documenting the steps they’ve taken, as well as those they plan to take, will enable CISOs to deliver the risk assessments regulators are looking for.
Conclusion
Security is a never-ending process, as CISOs are well aware, but so is compliance. Depending on the field they work in, businesses can face an array of compliance requirements that are frequently changing, as in the case of the recent updates to state privacy laws. In all, 20 U.S. states (so far) have privacy laws, and although there is no overarching federal privacy laws, many businesses must comply with international laws such as the European Union’s General Data Protection Regulation (GDPR) if they do business or monitor data subjects in the EU.
A proactive approach to security that makes use of automation in performing regular, repeatable rapid data security assessments as part of a robust risk management framework will enable CISOs to enhance data protections while keeping pace with the evolving compliance landscape.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
