Kip Boyle: Welcome to The Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: I'm Jake Bernstein, Cyber Security Council at the Law Firm of Newman Du Wors.

Kip Boyle: This is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities...

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us@cyberriskopportunitiesdotcom and newmanlaw.com.
So Jake, what are we going to talk about today?

Jake Bernstein: Well, Kip, today I figured we would talk about the difference between compliance and practice with respect to cybersecurity. Particularly, right now with GDPR and then frankly, just the general sense of compliance with HIPAA and PCI, I think it's important to discuss the differences between what it means to be quote, compliant, and what it means to actually practice good cybersecurity.

Kip Boyle: Oh, that's great. So to prepare for this episode, we both came up with three reasons or ideas about how they're different, and so I thought it would be fun if we compare lists. Let's hear your list and then talk about what you came up with, and we'll take a look at mine.

Jake Bernstein: Sure. So the way I organized this was I came up with three traits for compliance and three traits for practice and comparing them gets me my three differences.

Kip Boyle: Okay.

Jake Bernstein: So for compliance, I'm saying that it focuses on regulatory or industry self-regulation and the specific rules or requirements. If a compliance standard is based on a specific requirement, there's a risk that it could be out of date, almost as soon as those rules go into effect, because when you're making specific rules, usually it takes a process and it can be challenging to update those rules.

Kip Boyle: Right. Right. Okay. So compliance regimes can go stale.

Jake Bernstein: Yes, absolutely. Sometimes they can go stale even before they're fully implemented, which could be frustrating. Then I think last, they're not necessarily, and I say that and I really do mean it, there are some compliance regimes that are tied to practical or operational cybersecurity, but a lot of them are more academic in nature. They're not necessarily based on what we would consider an industry best practice. A lot of statutory regulation is, of course, the result of the sausage making that is legislation.

Kip Boyle: So how about a couple of examples? So when I hear about a regulation that's very specific, I immediately think of the payment card industry's data security standard. PCI DSS.

Jake Bernstein: Yeah, and that's actually a good example of industry self-regulation, although it is a very specific set of standards and those will dictate... They will give specific numbers. If you don't process a million or more cards per month or per year, then you don't have to be fully compliant. You can do a self certification. I mean, that kind of thing.

Kip Boyle: And then the standard itself, it has things like, you need to use this encryption algorithm, and not that one. You need to use key links that are at least this, but no less, right?

Jake Bernstein: Yep.

Kip Boyle: So there's just a ton of specificity in there, and it is all about you either have it or you don't. I mean, it's yes or no, very compliancy.

Jake Bernstein: Yeah. Well, and I think the hallmark, which I didn't even mention of a compliance regime is often a checklist and checklists are good and bad. Used properly, they make sure that your plane takes off and lands. They make sure that hopefully, implements-

Kip Boyle: You get paychecks on time.

Jake Bernstein: Yeah. Implements aren't left in your body after surgery. I mean checklists are important. The thing about a checklist though, is it has to be pretty specific.

Kip Boyle: Yeah. Well, I think a checklist assumes that the situation that you find yourself in is pretty static. I mean, when you do surgery, surgery's surgery. I mean, the procedures change, but the basics of surgery really don't change, right?

Jake Bernstein: Yep. I mean, certainly there's things that you do at the beginning and at the end of every surgery, that are always the same. There's never a surgery where you don't wash your hands. So that's where that's where checklists can be useful, and frankly, a lot of compliance regimes are based on checklists because those are easy to test, right?

Kip Boyle: Yep.

Jake Bernstein: If we move toward practice and what is practice? Well, it's based on real world experience and what actually works. It's flexible. It often will strive for reasonableness. This always includes a cost benefit analysis. Is something worth doing or is it just too expensive? Then I think a good cyber security program, which is in practice, focuses on creating a security culture, using common sense behaviors, managerial and technical support to create a sustainable environment for good cybersecurity. Think about how difficult it would be to put that in a checklist or to put it forward in compliance.

I mean, even though, right now, a lot of cyber security things are based off of quote, reasonableness, a lot of people complain about that because they say, "Well, what does that mean? What do you want me to do? What does that look like?" And so-

Kip Boyle: Yeah, I'm not an expert. Just tell me what you want.

Jake Bernstein: Well, and you have that tension, right. I mean, compliance gets a lot of attention because it is something that you can do. It's doable. It's tangible.

Kip Boyle: Yeah. And I think it's scalable too. I mean, if you're asking people, "Do you do this or do you not do this?" And it's yes or no, and if you're governing, if you're a regulator and you've got thousands of organizations accepting credit cards, you've got to have some way to measure that from a distance. I mean, you've got to have some way to scale that up and I think that's one of the reasons why compliance approaches are so popular.

Jake Bernstein: Yeah. They are. And again, the checklist has strengths and weaknesses, and if you just put, if your checklist says, "Be reasonable." That's very difficult. All right, that doesn't mean anything. And in fact, I think this is super fascinating that we're having this conversation right now, just really days after the 11th circuit comes down in LabMD versus Federal Trade Commission and says, from a legal perspective, "The problem with your order, Federal Trade Commission, is that it's too vague. It's not specific enough."

There's a lot of debate over what this actually means for the FTC. Ironically, the 11th circuit said that it didn't want to see the FTC micromanage compliance and security programs, but its order does the opposite by telling the FTC, basically saying, "Sorry, this was not specific enough." So by doing that, the 11th circuit is actually shooting itself in the foot. It didn't want the government to micromanage, but it told them that it can't just say, "Be reasonable," so now the government's going to come in and say, "Okay, here's what you have to do," and how that plays out is going to be really interesting.

In fact how this whole debate plays out is going to be interesting because you think about fire protection. I think we've talked in the past, perhaps not on this podcast, but I know we've talked about how cybersecurity right now is a lot like early fire protection, particularly with the way insurance works. But what's the problem there, right? Well, compliance with a fire code is super easy. I either have enough sprinklers and fire alarms and smoke detectors or I don't.

Kip Boyle: And we know how many you should have and how far apart they should be, because fire is a pretty predictable phenomenon-

Jake Bernstein: Exactly. And I was-

Kip Boyle: ... with certain types of material.

Jake Bernstein: It is. We know flame, there's a lot of... There's fire science and most importantly, fire doesn't innovate. It's not the same as cyber security when the adversary isn't some natural phenomenon that we can have control over. Instead, it is people.

Kip Boyle: It's viral. It's more like a flu where every year the thing is changing and we have to create a brand new vaccine every year that is very speculative about what flu will we be dealing with this year and we have to make lots of guesses and the efficacy of flu vaccine varies from your- crosstalk

Jake Bernstein: It does.

Kip Boyle: ... because of that.

Jake Bernstein: Yeah. And I would say that that's just fighting against a natural force, that happens to be randomized. It far worse to be fighting against other human intelligences deliberately trying to make life difficult for you. So it's very difficult to set up a compliance regime that you can use with a checklist when your adversary is another human being who is trying his or her best to mess with you.

Kip Boyle: Right. Now you had talked a moment ago about the problem of a regulation that comes into effect and is already out of date or stale. Were you thinking about a certain one? Could you give an example of that?

Jake Bernstein: I think there's lots of examples in environmental science, for example. They work hard, they spend a lot of time and energy updating those regulations because the science will change. Oh, it turns out that 50 parts per billion is way too much for this particular chemical, so we're going to change it to five parts per billion, and they have to go in and update the regulation and there's a rule making process and there's this whole thing called the Federal Administrative Procedures Act, which determines how federal agencies can set out regulations.

One of the things that doesn't happen with the FTC very often is quote, a formal rule making, and I don't know that you and I have ever even talked about this, but there are some in congress right now who would like to see the FTC do formal rule making more often, which is good and bad. It's good, it can create more certainty. It definitely, by very definition of the process, it brings in public comment and there's law surrounding how the rules are made. The problem though, is that once again, it can take so long that it can't react. I mean, the reason you haven't seen that rule making in place in the cybersecurity world is that we all know that that's not effective.

Kip Boyle: Right. I mean, to me, I think about a rule, if there was a rule that says, "You need to have an antivirus software loaded on your computers, because we all know that getting a virus on your computer is bad and can lead to a data breach and other kinds of cyber failures." But, there was a point passed which it was necessary, but insufficient, to have antivirus because now all the malicious codes that are particularly effective against us are ones that are based on zero-day exploits or unpatched systems, and so now-

Jake Bernstein: Or social engineering, which is by far the biggest threat.

Kip Boyle: Yeah. So you've got to keep up with that stuff, and as you say, it's always changing. Yeah, okay. Those are great examples of how compliance can come. You can rip the wrapper off the latest compliance checklist and, "Oh. It's already stale. Darn it."

Jake Bernstein: Yep. How about your list? Obviously I think I took a very legal approach to it, I'm curious what you thought. What's your perspective?

Kip Boyle: Yeah. Okay. Well, so that's what makes our podcast so interesting is you got the lawyer and the CISO talking to each other. Yeah, so here's my list. First is I thought of compliance as something that's generally very narrow. So you've got HIPAA for example, it's a compliance regime that's focused on electronic health records. So in contrast, practicing cybersecurity, I think would include more than just a narrow focus, because most organizations, if you've got electronic health records, you've got a lot of other digital assets as well that HIPAA doesn't speak to.

A good example of that might be, you've got W2 data in your possession because you've got people on a payroll and so if I'm cyber attacking you, or if I'm an insider and I'm trying to steal information that I can resell for money and if I see that you're all over the patient records, very focused on keeping those secure, but you haven't put a lot of energy on payroll data. Well, then I'm just going to attack the payroll data.

So I think that's one of the disadvantages of compliance is that it really draws your attention to a specific area and doesn't care at all about any of the other areas. It's like that college professor that just piles on the homework and the reading assignments, like their course was the only one you are taking.

Jake Bernstein: Only course you're taking. Right. So PCI DSS being another very, they only care about one thing.

Kip Boyle: That's right.

Jake Bernstein: Credit card information.

Kip Boyle: Cardholder data, and you know what? A very effective strategy for complying with PCI DSS and they tell you this in the standard is, you've got to really carefully consider your scope. For example, if you keep credit card information out of your email server, then your email server's not in scope, but if you don't do a good job of that, well then you got to put your email server in scope. And so by scoping down, again you're becoming very, very narrow and you're not paying attention to the other stuff.

Jake Bernstein: One could argue that the whole concept of scope is flawed when it comes to cyber security. The bad guys don't care what's in scope and what's not. As far as they're concerned, everything you have on every device that's on your network is in scope and that's how I would think of it. Scoping is a very artificial, and I think ineffective, method for taking care of cybersecurity issues.

Kip Boyle: Yeah. It's ironic, isn't it? Because when you scope something down, you're actually reducing the territory that you have to cover for compliance purpose. But then the downside of that is, well now you're leaving stuff out of scope and that stuff out of scope, what are you doing about that? And as an attacker, I love that, right?

Jake Bernstein: Yep. Oh, totally.

Kip Boyle: Because you're leaving stuff outside the gate at night when you close up the perimeter.

Jake Bernstein: Yeah. One of the things that I think we've left unspoken in this episode so far, is that we definitely, I think we both share a bias that compliance isn't real security. That compliance is an artificial construct that can lead you down a path of, I'd say, frightening inconsistency in your cyber security program.

Kip Boyle: Yeah. Well, inconsistency and then overlooking things like... I'm sure as an attorney, if I came to you and said, "Hey, I just went out to LegalZoom and I cranked out a complex legal document, and boy, I feel so happy about it." You're probably cringing on the inside saying, "Oh my gosh, that's a document factory. How can you be sure that that fits your situation?"

Jake Bernstein: You have no idea. And I have no idea until you tell me the facts and pay me a bunch of money and that's why LegalZoom has a business, but you get what you pay for.

Kip Boyle: Yeah. Well, right. So compliance is, you get what you get.

Jake Bernstein: It is. Yeah.

Kip Boyle: That was the first thing I thought of was compliance is very narrow focused. Another thing about compliance that I think is very different from practicing cybersecurity is compliance is typically measuring your state at a single point in time. I think of that in terms of public health. I'm often thinking about public health as an effective metaphor for cybersecurity, but to me compliance is like looking at your immunization record. It's like, "Well, when's the last time you had any immunizations?" "I don't know, two, three years ago, but at the time, I was compliant, because here it is and you can see that I've got all the shots that I need to get." But, "Hey, maybe you need a hepatitis C or a B or an A," and you're just thinking, "Oh, well, last time we went in, the doctor said I was good to go, so, I'm fine."

Jake Bernstein: Yeah. I think the interesting thing about that metaphor is immunizations, hypothetically, theoretically will last a period of time. I think that the point in time snapshot is actually much worse than the immunization program, and my example would be the weapons of mass destruction inspections that the UN and the US did in Iraq before the invasion. We had to give them notice, like weeks and if you talk to soldiers who were there, they say, "This is the stupidest thing in the entire world. We're telling them, 'Here we come, we're coming now,' and they moved the evidence."

Kip Boyle: Yep.

Jake Bernstein: So, of course they were always compliant. They didn't have weapons of mass destruction because they just moved them hypothetically.

Kip Boyle: They put them out of scope.

Jake Bernstein: They put them out of scope. I'm not trying to argue with anyone about whether or not they had weapons of mass destruction, I'm just saying this concept of this spot in time is... And really a lot of compliance regimes are like that, right?

Kip Boyle: Yes.

Jake Bernstein: You know when you're going to get audited, so you get ready for the audit.

Kip Boyle: That's right. That's right.

Jake Bernstein: And when the auditor comes in, you look really good.

Kip Boyle: Yeah. Freshly scrubbed.

Jake Bernstein: Freshly scrubbed.

Kip Boyle: Clean clothes.

Jake Bernstein: Right.

Kip Boyle: Smile on my face.

Jake Bernstein: No nuclear weapons here, auditor.

Kip Boyle: Exactly.

Jake Bernstein: And so the problem is, is that the next day you reset up your centrifuges or in this setting, you get lax. That's the much bigger danger here is that you get lax. You go back to doing what you were doing before. Maybe it doesn't take a day, maybe it takes two weeks, maybe it takes six months but at some point, if you don't practice cybersecurity, which is a full time job, then you lose whatever... Even if we assume that the compliance regime makes you more secure somehow, unless you're doing it full time and practicing it, simply being quote, compliant, wasn't enough.

I think the best single evidence of this concept is almost all of these big data breaches, particularly the Target, the Neiman Marcus, ironically, the payment card industry data breaches, those businesses were PCI compliant.

Kip Boyle: They were.

Jake Bernstein: It's not like they weren't compliant and that's why they got hacked. No, they got hacked because they had massive flaws in their overall security posture and quite honestly, those issues would've been out of scope of any PCI compliance, which is why they were compliant.

Kip Boyle: Or the requirements for PCI, just, quite frankly, weren't very effective.

Jake Bernstein: Or they weren't effective.

Kip Boyle: In the case of the Target hack, the forensics showed that the intrusion into the network that led to the data breach was, in fact, caught by the air intrusion detection systems. The evidence was in there. The problem is, is that through a combination of people process and technology, those alerts didn't get surfaced in a timely manner to the right people, so that they could take the right action to prevent anything bad from happening so they spent millions and millions of dollars on people processing technology and it still didn't work.

Jake Bernstein: Sounds to be like a management failure there.

Kip Boyle: Yeah. I would say, it rolls up to a management failure, but I also have to say that as somebody who has been responsible for erecting, and operating, those kinds of controls, it's an incredibly difficult job. I mean, just inherently, very, very difficult. You would think that putting intrusion detection on your network would be very similar to putting some kind of an alarm system on your warehouse, so that if somebody tries to break in and steal your merchandise, that it would be a pretty straightforward thing to know that they're in there, send the police and conceptually, this is what we're trying to do on the network, but it's wildly hard. There's just so much going on.

So even though everybody's doing the right thing compliance wise, the nature of the beast as we talked about before, is this is a really tough nut to crack. So I just want to wrap up my second point about compliance being a single point in time measurement, and just say that just extending the public health metaphor, cybersecurity practice is more like a journey. It's more like the things you do every day, so washing your hands after bathroom breaks and before you eat. Those are things that you do every day, many times a day, at certain times. Why? Because you don't want to get sick.

Jake Bernstein: Yep. Yeah. No, that's exactly right.

Kip Boyle: So that's the second thing that I... Then the third thing, which we've really hit on already, which is fine, is that compliance doesn't guarantee security, and as we just explored with the Target data breach, even practicing good cybersecurity doesn't guarantee that you're not going to get hit either.

Jake Bernstein: Yeah. Nothing guarantees it.

Kip Boyle: No, no. No, nothing guarantees it, but I mean, as a practitioner of cyber risk management and cyber security I'll take my chances with being a practitioner to stay out of trouble, than just being a compliance oriented person. I mean, if I've got to do one or the other, that's where I'm going to go. But I actually think that the best approach is to do what I call mitigate once comply many, which what I mean by that is, know what your risks are, have a good mitigation strategy and just make sure that your compliance obligations are baked into that.

One of the things we see all the time is that, if you're subject to HIPAA and PCI because you are a hospital that takes credit cards in the form of payments, and you've also got payroll data, well now you've got three different very high value pieces of information, and your overall program should be addressing all three of those and ideally, you don't have three different procedures. You've got one procedure, one set of procedures, that people can follow so that it's all baked in together. I mean, that's really the most economical and I think, most effective way to do it.

Jake Bernstein: Agreed. No, I think that's an excellent spot to wrap up with.

Kip Boyle: Yeah. Yeah, okay. So today we talked about compliance versus practicing security, here on The Cyber Risk Management Podcast. Thanks for tuning in. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on The Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us, and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.