Keeping up with European security and privacy compliance - the role of infrastructure and automation
The number of security and privacy-related regulations and compliance requirements in the UK and Europe continues to increase. In EMEA alone, we now have:
- The General Data Protection Regulation (GDPR)
- The EU Cybersecurity Strategy
- The EU Cybersecurity Act
- The recently revised Network and Information Systems Directive (NIS2)
- The Digital Operational Resilience Act (DORA)
- In the UK, there is the UK Cyber Essentials certification scheme (optional but mandatory to work with some government departments).
The list reflects governments' growing concerns and emphasis on security and privacy, and for good reason. According to Steve Morgan, founder of Cybersecurity Ventures, if cybercrimes were measured as a country, it would represent the third-largest global economy after the United States and China. He anticipates cybercrime costs will continue to rise 15 percent per year to a staggering $10.5 Trillion USD annually by 2025. That number represents a 300 percent increase since 2015 and will make cybercrimes "more profitable than the global trade of all major illegal drugs combined."
While a 2022 (ISC)2 Cybersecurity Workforce Study* reports that the cybersecurity workforce is at an all-time high, the data also revealed that 3.4 million more cybersecurity workers are still needed to secure assets effectively. Simultaneously, cyberattacks continue to increase exponentially – both in quantity and sophistication – and vulnerabilities can occur as the result of a misconfiguration within even a single server. Because of this, organisations must find more efficient ways to address risk. and IT operations can play a vital role in ensuring security-related compliance is being met.
However, even when they know they can contribute to better security and compliance, IT operations teams often take action only when a problem has been identified, perhaps as a result of an audit failure or a security incident. This attitude is understandable, given the daily issues they are fire-fighting and that these teams often run incredibly lean, subjected to budget constraints and a shortage of appropriately-skilled resources.
A further challenge is that audit exhaustion and frustrations are high — even more so since the pandemic — due to shortages and frequent turnover of auditors, excessive workloads for audit teams, multiple regulations for organisations, and a period during which auditors had to pivot to conducting their work remotely. Organisations now often rely on intricate supply chains and audits have been made more complex by the interweaving of multiple requirements across different companies. Yet, the need to provide clean audit information has never been more important, especially when coupled with the increasing cost of external audits: a 2021 Gartner survey showed that 62 per cent of organisations expected external audit fees to increase during that year*.
The demand on humans is not the only issue: it is unrealistic to expect that large amounts of manual infrastructure deployment and audit activities will not result in misconfiguration. In fact, according to the 2022 Verizon Data Breach Investigations Report, an estimated 82% of security issues involve a human factor.
Fortunately, much of the risk can be eliminated by applying a few best practices. In addition, these can be achieved in ways that minimise the impact on the finite bandwidth of IT operations teams. Starting at the top, there needs to be greater awareness and acceptance that infrastructure compliance is part of IT operations. Good security and compliance hygiene should be instigated at the technology infrastructure level rather than relying solely on sporadic and infrequent checks by compliance or security teams. A compliance-focused culture also entails regular training and communications, and accepting compliance is forever ongoing rather than a one-off activity. After all, cyber threats never sleep and never stop evolving.
Continuous compliance
It is also vital to implement continuous compliance. This ensures requirements are constantly being addressed, based on creating a desired state of IT infrastructure and frequently measuring against them. Using an agent-based approach ensures that the infrastructure automation technology handling compliance tasks sits close to the server, providing real-time visibility into configuration data. With continuous compliance, policies are written as code that is easily repeatable and tested automatically.
To draw an analogy, it is like managing all the items for sale in a supermarket, ensuring they always have the right price and are in the correct shelf location. For an employee, that would be extremely difficult and time-consuming to achieve. In contrast, if that process is automated, the information is delivered in one place, without a member of staff going anywhere near the shelves. It is precisely the same with servers: the less frequently and less comprehensively they are checked, then the greater the chance they will fall out of compliance.
Automate to the rescue
Automation permits thousands of servers to be checked in greater depth and frequency than would ever be possible were the activity to be performed manually. In addition, verifying configuration and rectifying issues every 30 minutes rather than once every six months eliminates the frantic scramble that typically accompanies a major audit. This model of continuous compliance becomes even more effective when built on a foundation of industry-recognised security standards or benchmarks, such as those published by the Center for Internet Security (CIS) and the Defense Information Systems Agency (DISA). Adopting established, proven guidelines alleviates teams of the burden of becoming security experts and then creating and maintaining their own baselines.
Automated IT infrastructure with built-in standards-based compliance eliminates the human error that can easily occur during manually intensive processes. Automation is also far more scalable. This is an essential point because, as infrastructure complexity continues to grow, IT operations will likely view this work as untenable. This is less likely to happen when the heavy lifting is removed. As a result, continuous compliance becomes another way IT operations can demonstrate value to the organisation, helping to deal with security risks and supporting critical compliance initiatives. With the number of cyber attacks and regulations both on the rise, now is the time to put the framework in place for a more automated and compliance-driven IT operations strategy.