Automation might not be the first thing that comes to mind when you think about regulatory compliance, but there is a link. To be successful, organisations need to be on the front-foot and able to absorb new rules and regulations seamlessly to avoid the pitfalls of industry or geographic penalties, rather than the usual reactive mentality.
By Ian Jansen van Rensburg
However, adhering to every piece of new regulation is easier said than done. Between 2009 and 2012, there were more than 50,000 business regulations published across the G20 countries. This rose to over 50 000 regulatory updates in 2015 alone and it’s an area showing no signs of slowing, with research indicating that regulatory costs for financial institutions could more than double by 2022.
Yet it’s not just the number of rules that organisations that are causing problems, the sheer length and complexity of some can require huge investments of time. The implementation of MiFID II is a prime example; this new piece of financial regulation (which aims to protect investors and make sure that financial markets are open and fair) runs to over 30 000 pages and 1,7-million paragraphs – a significant investment of time and resources.
The complexity of compliance
It’s safe to say that the last few decades have seen a rise in business complexity. Against he backdrop of mounting international competition, businesses have become increasingly global irrespective of their size. Moreover, the core of that success lies in the translation of vast swathes of data turning into information.
At the same time, the digitisation of businesses means that IT applications are creating data that isn’t just sensitive as in the case of banks and hospitals, but also a huge volume, as in the case of IoT factories driving the creation of petabytes of data per month. Herein lies a specific challenge – how do businesses remain compliant when the data is both human and non-human based? How do we handle and integrate both things whilst protecting the user, or the consumers’ information?
This requires the ability to digitally adapt to an ever-increasing set of rules, standards and processes. The closer we come to innovation, the more exposed the data is, and this is multiplied exponentially if we understand the data. The next generation of CISOs can only be successful if they focus upon the protection of customer and user information.
However, as a consequence of this global data revolution and where legislation is turning towards consumer and customer safety, businesses are inadvertently creating a range of international regulatory fronts on which to battle.
This, in turn, is causing the most senior leaders in IT to struggle, as they strive to develop and maintain business technology strategies that are as innovative as they are compliant. This work, both on a regional and an international basis, is perceived to stifle the very same culture of innovation which technology is enabling.
Can innovation and compliance ever get along?
To remain competitive, organisations know that they must be on the bleeding edge of their respective industries when it comes to consumer insight, operational efficiency and most importantly, innovation.
However, at the same time, they must also be continuously preparing for cyber threats, consumer retention, and start up competition, whilst remaining prepared to take precautions for regulatory change.
Take the retail sector as an example: organisations are determined to make shopping easier for consumers, but the chief information security officer (CISO) is battling to ensure that any new features or technologies are secure to use and comply with ever increasing digital regulation, without stemming the functionality of the application. Whilst every technology vendor claims to talk about GDPR, this is a real example of where a data protection strategy is more important than a single element of compliance.
However, technology vendors are seeing this natural tension. Compliance and innovation are unlikely to ever be best friends. Mandated security notwithstanding, regulation can cause serious disruption to the engine of a business – a situation akin to putting your feet on the accelerator and brake at the same time
Of course, organisations do have to play by the rules, as evidenced by some recent examples such as TalkTalk, the telco which experienced a major data breach in 2015. While they received a record fine by the ICO for their security failings, the real damage was to their brand reputation as evidenced by the exodus of nearly 100,000+ customers shortly after and an image that has taken a significant hit.
A mindset shift
What is clear is that there needs to be a way of enabling this regulatory compliance whilst allowing flexible business applications and innovative routes to market.
This is possible with the advent of cyber hygiene (five principals that focus around corporate information and its value) over cyber security.
We all know that initiating a system of security updates once there’s been a major breach, does have a distinct ‘stable door being locked after the horse has bolted’ feel to it and with automation, machine learning and artificial intelligence becoming available to potential hackers, a reactive cyber security strategy that doesn’t focus on a hygiene approach, is gradually becoming meaningless.
For this reason, many CISOs now feel that the era of reactive cyber security is dead and we are now entering a world of cyber hygiene, a world where businesses architect security directly into their products and systems from the start.
Similarly, the sheer number of new regulations being introduced mean that a firefighting approach to compliance is unstainable in the long term, and firms need to move from a tactical approach to a strategic one. This is businesses must partner with organisations that understand the innate shift from hardware security to software defined secure networks.
Compliant from the start
The concept of cyber hygiene is about a continual plan, not a stop gap or a “final solution” Organisations must able to automate compliance and ‘bake’ compliance in to their IT systems from the start in order to remove the guess work and age-old rush to make sure all data is present and correct ahead of a potential audit.
This consistent approach worked especially well for media juggernaut Sky, several years ahead of the recent GDPR legislation. The company didn’t have to work on a reactive GDPR-specific strategy because it had already been working on a more consistent data protection strategy – showing that it’s better to have a holistic data protection approach by having a cyber hygiene culture.
This goes to show that the investment in including compliance requirements early in the product or service lifecycle, pays off in more than one way – with decreased potential penalties, not to mention the hours of saved time that would otherwise have spent taking corrective measures – business can no longer afford not to take this approach.
This is only going to increase as laws start to try and keep up with the digital revolution and as AI and machine learning become better at mimicking the human hacker. The more data we produce, the richer the vein to tap into. The more transparent organisations become, and the wider working patterns across any device, anywhere, any time becomes adopted, is just another risk factor when it comes to compliance and regulation
Organisations can no longer rest on their laurels and think they can get away with doing just enough to comply to laws and rules that have just been introduced; but must now pre-empt them. This means it is about integrity and ownership. A sense of mutual respect when it comes to human information.
Ian Jansen van Rensburg is a senior systems engineer at VMware