Regulating cybersecurity, and data protection in general, is driven by two needs;
- to clearly explain the expectations that society has for the organisations that society is increasingly dependent on,
- to provide a mechanism for the unmanaged externalities to those organisations (the societal and personal harm from breaches) to be realised in the organisation, this is often through enforcement and fines.
The former need is a challenge because, as I have stated before, cybersecurity at a macro level is a ‘dancing landscape’ for which rigid statements of compliance are unlikely to be anything other than fleeting value. I think there are ways to distinguish between the types of challenges that require checklists, those that require risk models and those that require experimentation but this ‘variety of approaches to regulation’ remains more of a possibility than reality, although schemes such as CBEST [PDF] and it’s analogues internationally show some movement in this area.
The latter need is contentious. The punishment of organisations for failing to take appropriate regard for the externalities of their cybersecurity decisions can be challenged as harming the end consumer or citizen (by diverting funds that would be used in service or product delivery), as harming commercial innovation by having a chilling effect on the development of products and services at most risk and as harming national competitiveness as firms that operate in territories that take enforcement seriously do not have a level playing field against firms that do not. There is also a ‘grey area’ between good practices for an organisation and the responsibilities of national security; as a Chief Risk Officer once barked at me “I’m not a fucking intelligence agency for the British government“.
However, given the digital profit margins and the real societal harms ensuring some of that pain is felt by the organisations responsible is necessary to ensure focus is kept on the quality and outcome of cybersecurity decisions by the management teams.
Over the last decade, we saw an amazing public relations campaign aimed at senior executives and boards around the cybersecurity brand. A combination of press coverage and guidance from governments and regulators served to focus Boards of Directors’ attention on the topic. Unfortunately, I now hear anecdotally that that interest is now waning. I suspect we, as a discipline, are somewhat to blame by painting ‘cybergeddons’ that never came to pass, but also frankly spending money to protect someone else (customer/user/citizen) is always going to be much less interesting to organisational leaders than developing and providing new forms of value.
I agree that enforcement is a difficult balancing act between accountability and the freedom to innovate. What is interesting is how enforcement can radically alter the perception of the importance of regulation. The Data Protection Act was limited to £500,000 maximum fines and for many large global firms that wasn’t something they wanted but nor was it much of a deterrent. Once the harsher enforcement guidelines of GDPR were known I saw Boards move heaven and earth to avoid 4% of global annual revenue exposures.
One of the challenges in enforcement is that fines and financial penalties are only one way to share the pain felt by the victims of breaches and can sometimes just put a cost on risky activity rather than suppress it. Other forms of regulatory activity exist, the Information Commissioner can force you to stop your business activity and regulators such as the Financial Conduct Authority and the Financial Reporting Council can strip directors of their role and ban them from holding similar positions in the future. These are fairly draconian measures that are not often used.
One of the alternative forms of regulatory enforcement is, frankly, embarrassment. The Information Commissioners Office issues enforcement letters describing the results of their investigations irrespective of the enforcement actions chosen. This means that breaches are publicised and can impact on an organisations reputation if not well managed by a PR crisis firm.
Boards of Directors are made up of senior executives and non-executives who worry a lot about their personal reputations. A damaged personal reputation can significantly reduce the opportunities to develop a portfolio career across multiple firms. That is an interesting point of leverage for regulators to consider. If when reporting on investigations of public breaches the directors employed on the board at the time of the breach were named in an appendix it might focus the mind of boards to avoid personal reputational damage and who knows, some analysis over time might show us who the ‘bullet-catcher’ executives are who constantly allow the circumstances for breaches to occur under their watch.
Imagine if we made it a requirement for applicants to Director roles to disclose breaches that happened at previous employers while they were employed as Executive or Non-executive Directors. This might drive a change in behaviour both in terms of investing to avoid problems but also drive up the need to understand what breaches are so that they can be explained in the interview process.