Regulatory compliance is a constant challenge for your organization, even in more tranquil times. In a postpandemic world – where you have had to reinvent how you operate virtually overnight – meeting or exceeding the cybersecurity and data privacy controls mandated for specific types of data or to do business in regulated industries may seem impossible.
Unfortunately, the business and regulatory disruption caused by COVID-19 probably won’t abate anytime soon. Far more likely, you are witnessing the beginning of a new era in which compliance challenges are ever-changing and increasingly complex. This is the new normal for organizations and entire industries – healthcare, financial services, education, pharmaceuticals, retail, manufacturing, and more. To successfully navigate this new compliance landscape, you must be able to recognize and rapidly respond to new risks.
Compliance Is Complicated
Anyone who must work with myriad and byzantine regulations will tell you that compliance is complicated. And while attaining compliance is hard, maintaining compliance is even more difficult. According to Verizon’s 2019 Payment Security Report, when Visa launched the PCI DSS standards in 2004, industry watchers expected most organizations to achieve full compliance within five years. The experts were wildly optimistic: Verizon found that 14 years later (in 2018), only 37% of organizations “were actively maintaining PCI DSS programs.” That was down from a high of 55% in 2016, and was the lowest full compliance rate since 2013.
There are several reasons for this downward compliance trend, Verizon concludes. Some organizations implement “inadequate or overly complex” data compliance programs that fail to hold up under real-world conditions. Others may lack “the review processes and revisions” necessary for compliance initiatives to be both effective and sustainable.
“Data protection should be approached like a chess game, with a sound strategy that includes assessing risks and planning several steps ahead,” Verizon writes. “All too often, CISOs focus on keeping only baseline control activities in place instead of growing data protection competency and maturity.”
That’s a losing strategy in an environment where change (and thus risk) is constant, and where bad actors are relentlessly iterating new techniques to defeat old and ineffective defenses. Indeed, threats evolve more rapidly now than governing agencies and organizations can respond. Hundreds of thousands of new malware signatures are unleashed daily, while the lag time between detection of vulnerabilities and patches released and applied widens. Further, cyberattacks continue to become more sophisticated, even as managing a secure and compliant enterprise infrastructure becomes more complex.
Then there is human nature. People are bad at maintaining complex systems over time if there is no reward for doing so. In the case of a successful compliance program, the reward is a bit of letdown because, done right, nothing happens. The bad guys don’t get in, data is not breached, and the network is not compromised. As nothing happens year after year, complacency (clearly we’re doing this right!) can creep in, especially when higher-priority projects distract managers and divert resources.