On March 1st, new cyber-security regulations (23 NYCRR 500) for Financial Services companies went into effect in New York State. The regulations enforce certain minimum cyber-security standards for financial services companies, following the growing cyber threats that information and financial systems face. This is an important move in the right direction, and, provided it has teeth, could truly raise the bar for cyber-security standards across the country, setting a precedent for other state or federal regulators to follow suit.
While setting a precedent for cyber-security standards is certainly important, there is a less apparent but probably bigger upside here, having to do with fundamental challenges in operationalizing security.
The long and winding road
While intentions behind the regulations are good, experience tells us that financial institutions often experience severe “growing pains” in achieving compliance with cyber regulations. Initially, their response might be something between confusion and denial: Is this relevant for us? Where do we stand? Can’t we just wait and see? What should we do now? Then, looming deadlines and penalties tend to turn the confusion into an urgent rush to action, resulting in hasty spending on additional security tools to comply with required standards. The cost itself can be a challenge, especially for small-to-medium businesses. But the real frustration often lies ahead, regardless of the company’s size and budget – and that is when those additional tools don’t deliver the expected results and compliance.
How do we break this pattern of confusion, overreaction, and frustration, and achieve compliance and better security through a healthier, more calculated process?
In other words, how can we develop a better operational strategy to save time, head count, and undisciplined investment and avoid buying new products every time regulations are updated or created?
No one size fits all. But which one fits me?
A thorough read of the New York regulations reveals a balance between very prescriptive security infrastructure areas where best practices exist and minimum baselines can be specified –such as encryption, multi-factor authentication and other security controls – and areas where the authors have avoided a one-size-fits-all approach. For example, the requirements include identifying risks, implementing detection and response infrastructure to mitigate those risks, staffing appropriately to operate that infrastructure, and periodically conducting a “refresher” risk assessment – all without specifying technicalities, leaving the methodology up to each business’ interpretation. That seems fair, as indeed companies are different. But there is a catch: the less prescriptive areas are also the ones most likely to cause the confusion and overreaction that often lead to the misguided strategy of buying more and more security tools.
There is no Google Translate for this
The best way to begin complying with new cyber-security regulations such as New York’s is by identifying risks. Bridging business and security and getting executives and tech professionals to understand each other is never easy. High pressure and uncertainty only amplify that.
What we do need is a framework that facilitates the dialog. Board members and executives should prioritize business risks by the potential impact, should certain information assets be compromised. Security professionals should counter that with threat modeling: if you are the adversary, and compromising those assets is your mission and intent, which principle attack methods would you use? Having that common language based on the intent of an attack would help executives understand, strategically, how various defenses, tools, and capabilities within their companies comply to effectively address the mission of the cyber-attacks and actors, allowing security teams to focus on designing and implementing those defenses.
Get strategic: The tech factor
Security architects need to identify which tools and processes are required to implement each defense requirement, to comply with security standards and best protect business interests.
But in today’s environment, this is hardly possible. The truth is that some tools are great against one attack scenario, and might be dysfunctional in another. But there is no factual, reliable way to tell what each tool is good at, and then to dynamically direct the tools you have.
What is missing is a systematic method to understand attack intents on one hand, classify the capabilities of security tools and track their performance on the other, and make informed decisions on how to match the two, dynamically and automatically assembling the tools’ functionality across the network to comply with attack intent and regulations.
Having such a method in place could pay big dividends. It would allow a business to maximize what it has already, smartly turning it into what it needs, before rushing to spend more money. This way, if a company does have a compliance and coverage gap and truly needs an additional tool, the decision to acquire one would be fact-based rather than relying on opinions or feelings. Lastly, when operated continuously, such a method would make compliance with reporting and risk assessment requirements easier and less expensive to achieve and maintain.
Get strategic: The human factor
What companies end up spending most of their days on is managing and operating defenses. The regulators were clearly aware of this and specifically called out the need for sufficient personnel to do so.
In a competitive market where budgets and talent pools are limited, it is critical to build automation into a business’s cyber-security program. Day-to-day Security Operations tasks – monitoring, detection, investigation and response – seem like a logical first step, ensuring compliance while controlling costs. But sooner or later, the security maintenance overhead and costs become apparent, and very few organizations can keep pace with thousands of correlation rules, constantly requiring updates with every new vulnerability, malware variant, or behavior discovered.
If we can abstract all those masses of ever-evolving variants, signatures and rules, classifying them into logical, intent-based attack and defense capabilities, then we can move away from tactical to strategic management and maintenance of security. This would give us more resilient defenses with dramatically lower overhead. Speaking strategically would allow for better situational awareness reports at the executive level – providing a fact-based status updates regarding compliance levels of an organization at each moment in time.
Last, but not least
Much of the initial commentary about the new regulations focused on SMBs and how they would need to step up their game to achieve compliance. Makes sense.
That said, the challenges and new approaches for establishing compliance should also apply to larger enterprises, allowing them to maintain compliance more simply and at a much lower cost. Even companies with mature programs in place still have room for optimization, and this requires an understanding that new regulations don’t necessarily mean more tools.