The digital age has ushered in an era of unparalleled technological advancements, facilitating the rapid growth of global commerce, communication, and data sharing. While the ubiquity of digital interconnections has brought immense benefits, it also presents new avenues for cyber threats, especially with the introduction of advanced capabilities in Artificial Intelligence (AI), which is now broadly available.
In light of these recent developments, the United States and other nations have taken steps to legislate and regulate cybersecurity practices. For Chief Information Security Officers (CISOs), this evolving landscape is fraught with challenges, particularly when it comes to duplicate regulations and legislation.
One of the primary challenges faced by CISOs is the complexity arising from overlapping jurisdictions. As cyber threats recognize no borders, many countries have taken it upon themselves to enact their own sets of cybersecurity regulations. This can lead to scenarios where multinational companies find themselves juggling compliance requirements from different countries, many of which may have similar, if not identical, intentions but different stipulations. Even within the U.S., multiple states have enacted legislation impacting everything from cyber incident reporting guidelines to various sector-specific privacy laws. The net result is U.S. U.S.-based companies are required to comply with multiple states and various federal agencies from a regulatory perspective.
This situation gets even more complicated when regulations from other nations conflict with the U.S. regulatory landscape. For example, the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both focus on user privacy and data protection. While their core principles align, their mandates diverge in various aspects, from data access rights to breach notification timelines. For CISOs, navigating these intricate nuances becomes a complex task, and failure to do so can lead to hefty penalties. Consider those fines levied on Amazon (€746 million), Facebook (€265 million) and its subsidiary WhatsApp (€225 million), and Google (€90 million).
The reality is complying with multiple regulatory frameworks does not come cheap. Organizations must invest in technology, manpower, and training to ensure adherence to every single regulation relevant to their operations. When similar regulations overlap, it can lead to redundancy in compliance efforts and unnecessary financial strains and does not necessarily contribute to an enhanced security posture as compliance does not always equal security.
For example, an organization operating in both the U.S. and the EU might need to implement two separate data tracking systems or audit protocols because of slight differences in regulations. This means extra costs in terms of software, hardware, and human resources, which could have been avoided with harmonized regulations. In fact, a recent study of 46 multinational organizations revealed the average cost of compliance is more than $3.5 million, with a range of $446,000 to over $16 million (source: https://www.ponemon.org/local/upload/file/True_Cost_of_Compliance_Report_copy.pdf).
And as previously noted, duplicate regulations also have the potential to conflict with one another. In certain cases, adhering to one set of regulations might inherently mean violating another. CISOs then find themselves in a precarious position where they must choose which regulation to prioritize, putting the organization, and sometimes, their own legal liability at risk either way. Consider data localization laws, where certain nations mandate that data concerning their citizens remain within national borders. If a company is also subject to a regulation in another country requiring data transparency or accessibility, they may be caught in a situation where they cannot satisfy both.
Another factor that requires careful consideration is that in the drive to ensure compliance, there is a risk of stifling innovation. The pressure of navigating a labyrinth of regulations can cause organizations to adopt a conservative approach to technology adoption, fearing potential non-compliance with a yet-unconsidered regulatory stipulation. In a world where staying technologically ahead can provide critical competitive advantages, this cautiousness can hinder an organization’s growth and adaptability.
The National Technology Security Coalition (NTSC) strongly believes that while it is crucial to protect data and ensure cybersecurity, it is equally important to have streamlined, harmonized regulations that allow organizations to function effectively. A collaborative approach between nations, focusing on creating standardized cybersecurity benchmarks, can reduce the complexity CISOs currently face. Moreover, providing clearer guidelines and frameworks can assist organizations in understanding exactly what is required of them, reducing the gray areas that lead to potential non-compliance.
In summary, while the global regulatory landscape’s intention is noble and necessary, its current state, marked by duplicate and overlapping regulations, poses a myriad of challenges for CISOs. The NTSC seeks to address these issues through our advocacy efforts in Washington D.C., with a goal to foster an environment where cybersecurity and business efficiency coexist harmoniously.
Patrick D. Gaul is the Executive Director of the National Technology Security Coalition (NTSC), a non-profit, non-partisan, industry-agnostic organization focused on uniting both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness.
As an industry leader, Patrick is frequently asked to speak about issues related to cybersecurity policies and legislation. Patrick began his career in the information technology industry after serving nine years with the United States Marine Corps.
After spending 26 years with AT&T International and Infonet Services Corporation in assignments across the globe, he returned to the U.S. in late 2003 and has served in leadership roles across multiple industries including web hosting, software quality assurance, customer intelligence and cybersecurity.
In his current role, Patrick focuses on ensuring the voice of the Chief Information Security Officer (CISO) is heard on Capitol Hill and leads a coalition of over 80 senior technology security executives including 52 CISOs from Fortune 1000 firms across the nation.