The Evolution of Compliance and the Future of Cybersecurity

In the inaugural episode of Commvault’s Continuous Compliance podcast, Chief Trust Officer Danielle Sheer welcomed GigaOm COO Howard Holton for a discussion about the evolving landscape of compliance, the vulnerabilities in critical infrastructure, and the implications of data loss and cybersecurity.

The discussion was both insightful and thought-provoking, offering valuable perspectives on how organizations can better protect themselves and their data in an increasingly digital world. Watch the full episode here.

The Shift in Compliance Perception

Compliance has long been viewed as a back-office function, a mere checkbox on a list of tasks to be completed. However, this mindset has led to critical infrastructure being highly vulnerable due to insufficient attention to proper architectural standards. Danielle stressed the importance of treating compliance as a critical aspect of organizational security and integrity.

Drawing a stark comparison between physical and digital compliance, noting that while a physical failure like tainted beef can lead to immediate and severe consequences, a digital failure like a data breach affecting 300 million people might not result in the same level of repercussions.

This disparity and lack of urgency in addressing digital security issues underscores the need for stricter penalties and regulatory frameworks so that organizations take compliance seriously.

“The CEO should face the worst penalties, the chairman of the board second. That would change things overnight,” Howard suggested.

The EU’s General Data Protection Regulation (GDPR) was cited as a model for the United States to follow. GDPR has had a significant impact on compliance, with more fines in its first year than in the entire history of HIPAA in the U.S. The success of GDPR underscores the importance of federal involvement in creating a unified regulatory framework for cybersecurity in the U.S.

The Evolving Role of the CISO

The role of the CISO is becoming increasingly crucial in bridging the gap between technical expertise and executive decision-making. Danielle and Howard stressed that the CISO should be a board-level position, with regular and transparent communication with the board.

“If your CISO is not in front of your board on a minimum of a quarterly basis, you don’t have a CISO,” Danielle said. “And if you are not letting your CISO talk to the board on a minimum quarterly basis and really deliver useful information and be as open and transparent as possible, you don’t have a security program.”

Howard also suggested a balanced board composition, with 60% MBAs and 40% technologists. This balance would help board members better understand and address cybersecurity challenges.

The CISO’s role in incident response and strategic planning is also critical. “The greatest way to make change is to have a smart CISO at your organization when you go through a ransomware attack. Everybody just goes, ‘Oh crap, we should have listened,’ and this is what we’ll do,” he observed.

The Complexity of State-by-State Regulations

The patchwork of state-by-state regulations in the United States poses significant challenges for effective cybersecurity compliance. Danielle explained that the U.S. is effectively 51 countries when it comes to compliance, with each state having the ability to enact its own laws.

This complexity can lead to confusion and inconsistent implementation of security measures. The speakers advocated for federal involvement to standardize regulations, making it easier for organizations to comply and enabling a more cohesive and effective approach to cybersecurity.

The Potential of AI in Information Management

AI has the potential to significantly disrupt industries, but this potential is contingent upon the quality and maturity of an organization’s data management practices.

“AI accelerates everything so insanely much that there’s nothing that accelerates potential the way AI can accelerate potential,” Howard said.

Companies with mature data management and high-quality data have a first-mover advantage in the AI-driven landscape. “If your data quality isn’t up to snuff and your organizational maturity around your data just is not there, it’s going to cost you potentially everything,” he warned.

Key Takeaways

• Compliance as a critical function: Compliance should be treated as a critical aspect of organizational security and integrity, not just a back-office task. The lack of proper standards in software has led to significant security risks.
• Stricter penalties needed: The disparity in penalties between physical and digital compliance failures highlights the need for more stringent and consistent enforcement of digital security standards. Severe penalties for CEOs and board members could drive significant change.
• Elevating the CISO: The CISO’s role should be elevated to a board-level position, with regular and transparent communication. A balanced board composition, including technologists, can help address cybersecurity challenges more effectively.
• Federal standardization: The complexity of state-by-state regulations hinders effective cybersecurity compliance. Federal involvement is necessary to create a unified and standardized regulatory framework.
• AI and data quality: AI has the potential to accelerate organizational capabilities, but this potential is contingent upon the quality and maturity of an organization’s data management practices. Companies with high-quality data have a significant advantage.