Regulatory requirements for Cybersecurity
Updated: Mar 28
Regardless of where you live there is always some law you have to follow. In kindergarten a police officer would come down and say a few words how to safely cross a street. In Poland it is mandatory to obtain a bike card when the kids reach the age of ten to ride bikes in public. To do that kids have to learn the basic principles of the traffic law. Once kids grow up to be adults, they will be able to drive a car, but the process is of course a bit lengthier and there is more law to learn. Pretty similar is with the topic of cybersecurity, however there is a little twist to that. For citizens there is no law how they should behave in the cyberspace, how to secure their devices etc. Of course, there is the criminal law which now includes penalties for misbehaviour, hacking for example. It’s funny that these days there are more free toys for hackers to play with than tools to make you cybersecure. Teens, yep, teens start their first hacking journeys by trying to brut force (guessing a password) entry to their neighbours' Wi-Fi. Another example is to break into their peers’ accounts and pull some pranks. Such actions are actually penalised and are covered by the criminal law.
For companies it is a little bit different because they have to follow a little bit different laws where ensuring cybersecurity is a requirement. Companies can get penalised but not for misbehaviour (for that also), but mostly for not behaving at all, meaning for not implementing regulatory requirements. One of those big fuss regulations that everyone heard was European Union’s GDPR (General Data Protection Regulation). The main purpose of this regulation was to implement unified measures of protecting personal data of EU citizens (and not only). For cybersecurity it was a major breakthrough because cybersecurity was mostly covered in sectoral laws or not at all. GDPR was the first regulation that had specific requirements for cybersecurity regardless of the sector, just as long as a company was processing personal data it had to implement cybersecurity. The big problem for us was to translate what the law said into what we need to implement. This meant hours spent to break down the regulation word by word to identify specific cybersecurity measures. If you’d compare GDPR to regulations car manufacturers have to follow for mandatory equipment you’d see the problem. There is a list of specific items a car must have to be road legal, meaning a mirror is a mirror there is no problem in understanding the requirement. For cybersecurity it’s quite different. In GDPR literally regulators wrote: “Measures ensuring the confidentiality, integrity, availability and resilience of processing systems and services.” Just so you understand if you were to design a car using such written requirements people would use flair guns to signal their turns, use paper towels for their wipers, and use rope for seatbelts. Believe me, in cybersecurity that’s what these requirements mean. Thankfully regulators have apparently listened and the new NIS2 Directive (Network and Information Security Directive) is a little bit more specific, just a little bit.
So how do we go about reading the law. The main difference between cars and cybersecurity is that modern day regulations say what we should be doing as a process rather than saying take this technology and put in place. And that makes a lot of sense. Coming back to my previous posts, cyber is not only technology that we use it’s the world that we live in. Cybersecurity is not about implementing specific technology; it’s about living securely in the cyber world. There are three main pillars into this: people, process, and technology. Following the comparison to cars, it’s all about being secure on the road, regardless of the car there needs to be a person that will do the driving, so you teach the people to execute a process of driving the technology. The more you teach the people how to behave on the roads the more aware they will be and will drive within the speed limits. The better the car the more support the people will have when driving their cars. Same principles are followed in cybersecurity, we teach the people to work in a secure manner meaning don’t share your password, don’t click on suspicious links, or use a privacy screen when working in a public place. We implement sophisticated technology to take the load of the people so more cybersecurity is happening automatically. That’s why there is no literal translation of the law to cybersecurity, everyone is doing these things in a different manner to meet the regulatory compliance. And there are only more laws coming in the future.
As I mentioned earlier regulations become more specific, but still not specific enough for us to fully understand what the author had in mind, and even more problematic what will the auditors look for when determining if they should or should not penalize our companies for having “not enough” security. The most common practice is to implement a security framework slowly but surely. There are many frameworks out there, but the most known ones are: ISO27001, NIST, CIS, COBIT and PCI-DSS. They all have common elements, but some go into more detail than the others in specific areas. This is all good until a new groundbreaking technology comes to life. If we look historically, Microsoft has given us their cloud services back in 2010 (how did we live without them?? ;) ), whereas ISO 27017 was first released in 2015, so the first security standard that addressed cloud computing was already 5 years too old. To this day there is no regulation that would specify cybersecurity measures if an organisation would like to use cloud services. And I really hope there will not be one though. Don’t get me wrong, but the more into detail regulations go the worse they come out. It’s like this Start / Stop function in cars, EU said they are mandatory, because they are more eco-friendly. Most people just turn it off, the rest is unlucky and don’t have that possibility – that’s not what we call good user experience. That’s why standards should not be the law. For us it’s quite clear that if you want to be compliant with any law that requires cybersecurity controls, just get any of the five mentioned above frameworks and adapt to it to your specific needs and capabilities.
My point on regulations is that it’s good they exist for companies, but it would be much better that there are some regulations that have an actual effect on citizens. In US solely 53.5 million people were victims of cybercrime in the first half of 2022. Statistically there are less car accidents in Europe in one year than that, yet we require people to have a driver’s license to drive a car. Now I don’t mean that from tomorrow everyone should be obliged by law to pass an exam on using the internet, but I believe that there are a couple of things that can be improved in the legislature to improve security of citizens. As I said cybersecurity is people, process, and technology. Without a doubt we already have the technology and the process, what we lack is the people. That’s why regulators should actually start caring about the citizens and their education on how to safely live in a cyberworld. We cannot simply expect for organisations to take the responsibility for educating our citizens how to live in the cyberworld. Education starts from the early ages and that’s why cybersecurity should be a mandatory class in each school so that a 7 year old will not only know how to make a presentation using PowerPoint but will know how to safely use the internet. There are special programs to enable seniors to use the internet, but does anyone teach them how to do it securely? I feel like we have never learned from our own history. If we look back to 1913 an average 33,38 people died per 10,000 cars, now that average has dropped to 1,53 per 10,000 cars and just remember in 1913 there were only 500 thousand cars whereas now there is over 1.63 billion cars. From the legislative perspective it’s a huge problem as we have over 5.16 billion people worldwide using the internet. That means automobile industry was in a much better condition when they started than where we are now 40 years into using internet.
Oh and if you like what you read make sure you subscribe for more!