Jack Jones: State ‘Safe Harbor’ Laws Should Promote Effective Cyber Risk Management, Not Just Compliance with Frameworks
State legislatures in Nevada, Ohio, Utah and Connecticut have passed or are in the process of passing “safe harbor” protection against negligence lawsuits for companies hit with a data breach – if the companies implement controls from a recognized cybersecurity framework.
The laws are similarly worded and offer an “affirmative defense” at law to companies that have a written cybersecurity policy and maintain “reasonable” security, defined as conforming to NIST, CIS, ISO or other controls-oriented frameworks. The stated intent of these laws is expressed in the title of a bill pending in Connecticut: “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses.”
Jack Jones is Chairman of the FAIR Institute and creator of Factor Analysis of Information Risk (FAIR™), the international standard for the quantification of cyber and technology risk.
It’s a very good thing to incentivize attention to the cyber risk landscape. And promoting the use of these security frameworks is certainly useful as a starting point. I think of them as guardrails, a minimum effort to set security on the right track. But I’d argue that they fall short of providing “reasonable” security.
The first thing to keep in mind about compliance reviews is that they characterize a security environment at a point in time for an organization that’s not static in a risk landscape that’s anything but static. In fact, if a breach occurs at an organization, that’s often a sign that they were out of compliance at the time, even if they’d previously passed a security review with flying colors.
More importantly, these laws make an implicit assumption that compliance with a framework equates to effective risk management. It doesn’t.
It’s relatively easy to check boxes or score against a controls framework and yet not be able to prioritize effectively to employ those controls that are most important in reducing the odds of having a major incident. Without that, organizations are far less likely to apply their limited resources to cover the bases they need to cover to really manage risk effectively.
To do that requires a risk-based approach with risk quantification at the center so organizations can assess first how much risk they have and, from that starting point, which controls drive residual risk to an acceptable level.
The risk-based and compliance-based approaches aren’t in opposition. Many organizations are realizing that applying FAIR is the most efficient way to use a controls framework. In a former life as a CISO I was able to make control choices using FAIR that enabled my organization to be compliant for a fraction of the cost of what would have been required if all I had done was check boxes. And the resources that were saved were applied to strengthen other dimensions of the program.
I’d like to see the law catch up at some point, and also encourage companies to assess their top risks and demonstrate they are providing adequate care in reducing risk to an acceptable level, based on quantitative risk measurement. That would be a more “reasonable” foundation for a security program that is more likely to stand up in court.