Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Regulatory Domino Effect: Are More Compliance Mandates Making the World Less Secure?

Security professionals, legislators, and relevant industries have been calling for greater regulation for years as the business world continues to embark upon digital transformation. As technology continues to evolve, so do these compliance mandates—even some cities are grappling with facial recognition privacy bans.

These regulations are intended to help baseline security, protect privacy, and prevent breaches that have proven to be both costly and embarrassing. The inevitable side effects of breaches that impact personal data like Social Security numbers are irreversible.

But are we taking the right long-term approach to these regulations? I have seen a handful of rules that have made an immediate impact in an immature cyber world. The Federal Information Security Management Act (FISMA), the Payment Card Industry Data Security Standard (PCI), and the European Union’s General Data Protection Regulation (GDPR) are ones that come to mind.

When each of these regulations was first enacted, they each served a distinct purpose. Still, the regulatory landscape has unraveled, resulting in a domino effect security leaders didn’t expect.

Fast Forward to Today

It’s almost as if the effects of these requirements have spawned newer regulations that should cause us to take a step back and think before we draft any more. The California Consumer Privacy Act (CCPA) and the U.S. Department of Defense’s Cyber Maturity Model Certification (CMMC) are the most recent additions. Both of these regulations have the right intent; however, were they really necessary?

For instance, there are similarities between FISMA and the CMMC, seeing as the baseline of the regulations draw from the NIST framework. The steps security departments will need to take to comply with them will be so eerily similar that it creates confusion. A recent Inspector General report has even confirmed at the NSA is “lagging in all eight of the security areas” tied to FISMA.

Focusing on the payment card industry, Verizon's 2019 Payment Security Report found that compliance with PCI DSS “fell to 36.7 percent globally, down from 52.5 percent in 2018.” Are organizations struggling to comply, given the complexity tied to the increased use of technology in the enterprise, or are they getting bogged down in regulations? I'm all for securing my privacy rights with companies that have access to my data in California, but how different does the CPPA have to be from GDPR?

Let’s consider a small firm in California with users based in the United Kingdom. They have a government contracting business unit that conducts business with the DoD in the United States. They also process payment cards. The maze of regulations with many similarities is scary when you think of the cost this will add from a tools and process standpoint. Then there are also other global regulations coming from China and Russia, which would seem to trump all of these if a regulatory body wishes to enforce a specific penalty. But, when I look 10 to 20 years in the future, this is not the most significant concern.

The Largest Problem Created

By creating the regional and state enforcement of policies and guidelines, we lose the ability to see things from a global perspective, as well as potentially limit a company’s flexibility to save on costs in the global market.

Let’s revisit our previous example of the small California-based company. Imagine that by 2030, every state in America has a privacy protection act, all featuring slight variations. That’s 50 regulations the company has to deal with to conduct commerce within the United States. Keep in mind; they still need to comply with GDPR.

Given the uncertainty of BREXIT, let’s assume those 28 member states of the EU decide they need some slight variations from GDPR. Further, let’s assume in South America, each of the 12 independent countries decides that they will each enact separate privacy protection acts. We’ll assume Canada is good with the Personal Information Protection and Electronic Documents Act, and Mexico sticks with federal law on the protection of personal data held by private parties.

For this California-based company to conduct business in North America, Canada, Mexico, South America, and Europe in 2030, they may have to navigate 92 different slight variations on data privacy. Mind you, they’re still not operating globally at this point. We didn’t consider the other governments that will likely have a CPPA-esque regulation, and any other upcoming technology on which there will be calls for regulation, such as IoT and 5G technology. The internet is coming more and more regionalized and given that research indicates that “83% of enterprise workloads will be in the cloud by 2020,” cloud providers will need to be available in every region.

Where Do We Go from Here?

So what’s the solution? Individual countries, counties, and municipalities have had conflicting laws for centuries. But the big difference was that these were all impacted by geographical locations and boundaries. Except for specific underlying network protocols, the internet and its users were never really meant to see geographic boundaries. Data is data; it flows over pipes on the internet and gets to its destination. So before a new regulation, act, or compliance mandate is proposed, we should think about how many more are needed.

Perhaps, now is the time for one globally recognized cybersecurity regulatory body that all countries can participate in.

Each world power has the expertise that allows them to navigate these global issues while keeping regional equities at bay. They can answer the harder long-term questions.

Should everyone embrace GDPR as the global standard? That’s a valid question that’s yet to be answered. If that were to be the case, slight modifications could be made instead of complying with similar, yet different, costly mandates.

There are currently great examples of regulations that can be applied across industries, without having to draft new ones that create complexity. It’s vital to enable organizations to grow, but the domino effect currently taking place on the compliance mandate-front is prohibiting this. Let’s not forget that it’s also having a significant impact on the security posture for businesses.

Find out how Trustwave's deep experience in helping organizations manage complex environments can help your business meet multiple compliance requirements here.


Mark Whitehead is the Vice President of Security Testing at Trustwave SpiderLabs.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More