Regulatory compliance has become extremely complicated. Many organizations are accustomed to achieving and maintaining compliance with the “old” regulations like the Payment Card Industry Data Security Standard (PCI DSS) and the Health Information Portability and Accessibility Act (HIPAA).
However, in recent years a rash of new data protection regulations have gone into effect, and many of them have a greater scope than previous ones. In the past, an organization may only have been required to maintain compliance with regulations in their nation or with a global scope. Now, these new state, national, or regional regulations apply to any organization processing the data of its constituents, regardless of the location of that organization.
As a result, many organizations are struggling with the new, patchwork compliance landscape. However, a large part of this struggle is driven by the fact that many organizations build their security strategies to “check the box” for compliance. By identifying security controls required across many regulations, like a web application firewall (WAF), and building a security strategy around these solutions, organizations provide themselves with an excellent starting point for mapping their security strategy to the needs of specific regulations.
The Challenges of Regulatory Compliance
In recent years, the regulatory landscape has been expanding rapidly. Organizations are now required to comply with a variety of different regulations. Even for those in previously well-regulated fields, who are accustomed to achieving and maintaining compliance, navigating the new regulatory landscape is complex.
The rash of new regulations began with the EU’s General Data Protection Regulation (GDPR). The GDPR is designed to protect the personal data of EU citizens. It dramatically expanded the rights of EU citizens and requires that organizations or countries wishing to collect, process, or store the data of EU citizens have similar protections in place.
The example of the GDPR has inspired many states and countries to pass their own data protection regulations in recent years. However, while these new regulations are similar in intention, they differ dramatically in the details. As a result, organizations are struggling to comply with all of the regulations that apply to them.
Identifying Fundamental Compliance Requirements
Complying with the mess of current and upcoming regulations is difficult for many regulations. In fact, a group of 51 CEOs of the biggest US tech companies have sent an open letter to Congress requesting a federal data privacy regulation that would supersede the patchwork of state regulations, simplifying the US data protection landscape.
While this is a potential long-term solution to the problem of a fragmented regulatory compliance landscape, it doesn’t solve the problem in the short-term. Accomplishing this requires a new mindset toward regulatory compliance.
Many organizations take a compliance-focused approach to security. Deploying security controls on their networks and endpoints is done for the sake of compliance. This “check the box” approach to regulatory compliance is becoming increasingly unsustainable as a number of different regulations, all asking for subtly different policies, procedures, and security controls, come into effect.
A more scalable approach to regulatory compliance is identifying the security controls that are required or desired by each regulation and implementing them in an intentional fashion. For example, most regulations require organizations to deploy a web application firewall to protect their web presence against common attacks. A WAF is explicitly required in PCI DSS Requirement 6.6 and implied in data protection regulations like the GDPR and the California Consumer Privacy Act (CCPA) that require protection of personal data since a quarter of data breaches are carried out by exploiting web application vulnerabilities.
WAFs are one of several different security controls that are required by many regulations, either explicitly or implicitly. Another example is a data security solution that can manage access to repositories of sensitive data, which is a must for compliance with regulations like PCI DSS, GDPR, and CCPA. By identifying these required solutions and building a security architecture around them, an organization has a great foundation for building out the specific security controls, policies, and procedures required by each regulation.
Going Beyond Compliance to Security
The compliance-focused approach to security that many organizations adopt makes it more difficult for them to actually achieve and maintain regulatory compliance. The number of regulations that organizations must comply with is growing rapidly, and many of them require subtly different things of affected organizations. A piecemeal approach to compliance means that an organization will be constantly cobbling together security controls and policies for the next audit.
By taking a step back from the minutiae of the regulations and looking at the big picture, organizations can dramatically improve their ability to achieve and maintain regulatory compliance. Since many of these new regulations have the same overall goals, many of the same solutions can be applied to achieving compliance with all of them. By identifying common requirements between regulations and implementing them in an intelligent and intentional fashion, organizations can easily achieve compliance with a broad swath of regulatory requirements. After that, adding on additional controls or policies to meet certain regulatory compliance requirements is much less of a burden.