Rebuild security and compliance foundations with automation
Businesses have invested a lot of money, effort and technology into addressing cybersecurity challenges in the wrong way. They have been covering issues by applying bandage after bandage rather than attacking the root causes. Ironically, we have reached a point in cybersecurity where the layers of patchwork protection we have been adding are becoming the root cause of the issues ever more frequently. And while organizations are clearly investing in necessary cybersecurity technology, investments in other critical areas such as automation of key proactive security processes and shifting compliance left into the design and early development, are significantly lagging behind.
Overreliance on perimeter defenses has created larger attack surfaces for already large targets, such as financial institutions. As the regulatory landscape grows more complex by the day, organizations that do not begin to automate and streamline compliance will be faced with rising costs that will come back to their clients.
It is time for organizations to rebuild the foundation of security and compliance by embracing automation, creating and deploying secure software and addressing the challenges of implementing requirements that are not written for engineers.
Compliance is a moving target
The days are over when software development could take a year or two between major releases. Organizations in every sector are under pressure to develop and deploy software swiftly, sometimes in a matter of days. It’s not that organizations don’t want to implement security early or achieve compliance by design; they just don’t have the resources needed to keep track of everything that needs to be done from the start on their own while also remaining competitive.
No analyst that I am aware of has predicted that in 10 years, compliance problems will be solved by technology. Compliance is a people and process problem. Look at Equifax and Capital One, for example. Both companies had policies in place for securing their technology that, if implemented correctly by its users, likely would have prevented their breaches.
This is where automation truly shines. When we consider how compliance regulations are written, compared to how software is written, it becomes even more understandable how an organization might experience a lapse in compliance. It is unreasonable to expect software engineers and technologists to fully understand regulations that were written by policymakers and implement them into software.
Financial institutions have a particularly onerous set of compliance obligations, ranging from Payment Card Industry Data Security Standard requirements to the Sarbanes-Oxley Act, with international or regional requirements, such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act, compounding the burden. Only the health care and pharmaceutical industries come close in terms of regulations. And those regulations are regularly updated or altered, requiring institutions to continually adjust their software to meet the standards.
Verizon’s 2020 Data Breach Investigations Report found that nearly 90% of all data breaches are financially motivated, up from 71% last year. For that reason, many retailers contract out their financial transactions in order to limit their liability, leaving that job to banks and other financial institutions. Amid pressure from boardrooms and the general public to ensure the integrity of transactions, costs and complexities of compliance continue to increase. The costs of noncompliance can be overwhelming. Data breaches in the banking industry cost institutions an average of $18.3 million, according to a study by Accenture and the Ponemon Institute. Significant breaches can cost even more.
Fixing the foundation
The practice of layering security measures on top of one another, often at the perimeter of the network, has become commonplace. Web application firewalls were designed to…
Read More: Rebuild security and compliance foundations with automation