Chief security officers need to comb through the wording of the governmental and industry security regulations their businesses must comply with if they want to secure their networks and stay out of legal trouble.
The cost of failure to comply can hit close to home as laws make corporate officers personally responsible for protecting sensitive financial and personal information handled by their data networks, attendees were told last week at Interop Las Vegas's CSO Bootcamp
"If I were 20 years younger I would be getting a law degree," says Al Kirkpatrick, CISO for First American, one of the speakers at the event.
CSOs need to understand the regulations themselves and the requirements for proving they have complied and are continuing to improve network security, he says.
In addition, CSOs have to hire auditors to prove they are compliant, and that requires a whole separate set of legal challenges. "Now, on top of everything else, you have to become a contract lawyer," he says.
Outside audits are necessary to know whether security programs are working, but they need to be done carefully. Contracts with auditors should lay down what exactly will be audited with clauses to shut down the audit if it disrupts or threatens the functioning of the network. "The last thing you want to do is open the doors and say 'wander around and call us when you're done,'" he says.
The same standard holds true for audits requested by business partners who are trying to meet regulations that require them to ensure shared data is securely handled by those partners.
Kirkpatrick suggests assigning someone to bird-dog the auditors, not to obstruct them but to make sure they don't investigate beyond what they need to know. The auditors could represent a threat. "Vet anyone who does the audit. You need to know when it will be done and retain the right to monitor it and shut it down if it goes outside the scope and if it risks network uptime," he says.
Whatever shortcomings auditors find should be welcome. "You're rarely your own best mirror," Kirkpatrick says.
Some business partners send questionnaires about network security rather than require audits, and these should be filled out carefully by knowledgeable staff who can accurately answer the questions, he says.
Because multiple questionnaires will come from multiple partners, it is important to have the same team fill them all out for consistency. Because the questions are different but similar, it will also be more efficient for the same people to respond, he says.
The questionnaires need to be taken seriously, he says. "The units need to be careful filling it out; it's a contract."
It is essential that partners sign non-disclosure agreements about the answers to their questionnaires so they don't become another source of risk, Kirkpatrick says.