The Rise of the Regulators in Cybersecurity

October 29, 2015 |
The Rise of the Regulators in Cybersecurity

Back in February 2013, President Obama signed an Executive Order entitled Improving Critical Infrastructure Cybersecurity. This asked US regulators in a long list of industries – finance, healthcare, utilities and so on – to review whether their powers in the realm of cybersecurity were “sufficient given current and projected risks,” and to take action if not.

Fast forward by two-and-a-half years, and organizations in those industries are now finding themselves faced with a much more rigorous regulatory regime than ever before. In the continued absence of robust cybersecurity legislation from Congress, we’re seeing more and more rulemaking by government agencies, and therefore more and more compliance mandates for the industries they regulate.

This rise of the regulators is a potential problem for US organizations for a few different reasons.

Most obviously, it creates a workload that wasn’t there previously. In the financial services sector, for example, the SEC has instigated the Cybersecurity Examination Initiative and issued broker-dealers an extensive – but not exhaustive – list of the measures and safeguards its auditors will look for. Working through this checklist will cost organizations a significant amount of time and money, and may not even satisfy the full scope of their requirements; the sector’s other regulatory agencies might interpret their responsibilities differently, for example.

Beyond that, there’s the now well-established fact that compliance is not security. Time and time again, organizations that have passed compliance audits are breached within months of meeting their requirements.

Regulators are checklist-driven. Cybercriminals are not. A sophisticated attack won’t be obstructed simply because a mandate for up-to-date antivirus software was checked off a list somewhere. The existence of a rigorous regulatory regime means that organizations potentially have a large portion of their cybersecurity spending dictated for them, and not necessarily in the way that most effectively keeps hackers out of their networks. The right tools and technologies for the job may be entirely absent from the regulator’s checklist.

Ensuring Both Compliance and Security

All of this puts US organizations in regulated industries in a difficult position. On the one hand, the regulators are becoming more demanding and compliance more resource-intensive. On the other, cybercriminals are becoming more prolific and sophisticated, and defy this checklist-oriented, baseline approach to cybersecurity.

Theoretically, these two problems can be solved independently of each other. It’s rare that an organization will be well enough resourced to do so, however. This creates a need for solutions that both provide the best possible protection for digital assets and satisfy the requirements of whatever regulatory regime is in place, effectively and efficiently.

A good example of this is in the area of access control and auditing. Regulators often ask organizations to produce reports demonstrating that only authorized personnel have access a given resource, and that this access is only granted for an authorized purpose. See the following examples from the SEC’s checklist for broker-dealers:

“The Firm maintains controls to prevent unauthorized escalation of user privileges and lateral movement among network resources. If so, please describe the controls, unless fully described within policies and procedures.

The Firm restricts users to those network resources necessary for their business functions. If so, please describe those controls, unless fully described within policies and procedures.”

Traditionally, this would mean firewalling the network, ensuring that user groups are aligned to business functions, logging everything and then relaying this information to the auditor. It’s obviously simpler to deploy a solution that has both the principles of need-only access and global audit logging and reporting built into its core.

It remains to be seen how cybersecurity regulation – and indeed, legislation – in the US will evolve and mature in the long run. For now, though, the rise of the regulators is clearly something that organizations need to pay close attention to when they source and deploy new defenses against cyber threats.

Learn more about how Cryptzone’s secure access, data security and content governance solutions can help you comply with your industry’s regulatory regime at the same time as keeping your digital assets safe from cybercriminals.

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *