Can regulators and businesses keep pace with the rate of change that the world is experiencing? The regulatory landscape is changing rapidly in many industries as the threat landscape is growing in line with technology, the proliferation of data, and the increasingly global nature of businesses. In short, regulators and businesses alike are struggling to keep pace with this change, where new threats, products, and security requirements are increasing at a rapid pace.
Regulation and compliance have been around for hundreds of years and traditional approaches to compliance are reactive, where prescriptive regulations are built from the lessons of the past, applied, and monitored. The world is now changing too rapidly for this to be a feasible approach in many new and emerging industries especially with the size and quantity of new data being created daily. New approaches to regulation are needed.
There are a large number of different approaches regulators take to ensuring regulatory compliance across their different domains. Many regulatory models and approaches differ greatly from others which are typically dependent on the political climate of the time and the maturity of the regulatory subject matter.
A prime example of a new regulatory environment is in managing unstructured data and cybersecurity. There has been a dramatic and rapid change over the past 4 years with the introduction of regulations such as GDPR, CMMC and CCPA. Regulators across the globe are still formulating how they approach this in terms of regulatory oversight and control.
In cases like these, a new approach to regulation is needed. The US DOD is leading by example and has decided to adopt a maturity model and in the long run, we believe that this will serve the industry well as its very prescriptive, controlled, and with the introduction of external assessors and auditors will help organizations know exactly where they sit in relation to their level of compliance. This will allow the regulations, processes, and controls to grow and adapt to the rapidly changing subject matter.
Irrespective of how good an organization’s processes and controls are there will inevitably be issues, breaches and incidents, in these scenarios it will be very beneficial for the regulated entity to have had prior external assessment and accreditation. The headaches, overhead, and anxiety of retrospective analysis of controls by a regulator when there has been a breach will now be less. With CMMC there will be a pre-existing agreement between an organization and the regulator on the controls that the organization had in place benchmarking their adequacy against a CMMC level before the breach occurred.
As well as this a maturity model allows organizations to grow and adapt their processes and procedures to any new threats or compliance requirements, it’s a path of continuous learning and improvement that allows an organization to frequently check its progress with the regulatory body, this interaction is very valuable to both the regulator and the organizations in the industry.
It’s interesting to note the evolution of regulation from NIST to CMMC. Whilst the NIST framework includes best practices and helps standardized contractors’ approaches to keep data safe by providing guidelines that clearly outline security controls, it had a weakness in that the primary responsibility for NIST compliance rested with the contractors and the company’s compliance was achieved through self-attestation. Ultimately this approach didn’t stop some high profile breaches. This caused major distribution and problems for the contractors involved and for the regulatory alike.
A fully audited maturity model would have led to better outcomes but may not have stopped all of these breaches, however, it would have led to a less costly and less disruptive path towards remediation for the organizations involved. When organizations look back in 4 to 5 years we feel that they will recognize the adoption of a maturity model as having been a very positive step.
Speak to one of our experts