State Of The Union: Layer Security Or Prep For Legal Battles



Dan Gunderman
12/13/2017

Cyber security as a whole boasts an enormous platform with many flanks to protect. This protection extends to hardware, software, the IoT space, applications, databases, cross-channel passwords…you name it.

So how does a practicing enterprise security professional handle this day-to-day? Is enterprise security far too extensive for full containment?

This is where legislation comes into play. And this is a maturing political arena ripe for discourse – as technology becomes more comprehensive, user-friendly and thus more accessible.

To elaborate, think about the numerous attacks siphoning hundreds of millions of dollars from global corporations. Outside of a single CISO, how do large enterprises play watchdog over all of these burgeoning threats?

It’s a tall order. Yet still, there are some overarching policies set in place which attempt to govern cyber practices. This means enterprises are open to the Federal Trade Commission (FTC) treatment, and guiding principles set forth by the National Institute of Standards and Technology (NIST).

Enter Jamal Hartenstein, the senior program manager for California Public Employees Retirement System’s (CalPERS) IT Security Roadmap Program. Hartenstein manages the IT security budget and liaises between cyber security divisions and legal departments. CalPERS is the largest public pension fund in the U.S., and thus Hartenstein must be able to navigate nascent cyber security law and be at the forefront of threat defense.

In an interview with Cyber Security Hub, Hartenstein weighed in on the state of cyber security and the many threats lawmakers and public servants are attempting to curb or mitigate.

See Related: State Of The Union: Trends In Cyber Security Law, Policies

While headlines continue to swirl about so-called mega-breaches, and CISOs continue to come under fire for their respective actions within the enterprise, provisions are coming to the forefront which may help govern the cyber security space. Still, U.S. policy on cyber security is far from standardized and its “piecemeal” effect is both layered and at times tough to monitor.

Hartenstein said that upcoming revisions to the NIST Cyber Security Framework (CSF) could streamline the governance, risk management and compliance (GRC) processes.

“When Executive Order 13636 generated the demand for the development of a unifying governing body of frameworks, we were not able to do that just yet without more information-sharing on threats and what different organizations are doing about them,” Hartenstein said, as previously reported by CSHub. “The new focus of the framework will be applicable to unique threat exposure, business objectives and the appetites for risk of each of the various types of organizations who are expected by law to utilize the framework.”

Revisions to the framework (deemed NIST 1.1), are open for public comment until January 19.

With regard to current law that could help light the way for enterprise security professionals, Hartenstein pointed to Equifax’s eDiscovery case (gathering electronic data as evidence in a civil or criminal case). He said it “may set precedents for cyber professionals with regard to how security departments are expected to be prepared for a legal claim, even before one is ever filed.”

“CTO and CIO (not necessarily CISO) executives are likely to demand that practices are in place that will ease the level of effort and decrease costs of eDiscovery in the unfortunate event a legal claim may be filed,” Hartenstein added.

Hartenstein suggested that much of today’s pressing news involves the FTC’s standing and their ability to dictate cyber practices through the 100-year-old clause that can impose consent orders on the enterprise.

“The FTC standing was substantiated in the case of FTC v. Wyndham Resorts,” the CalPERS senior program manager said. “The lawyers who argued this case for the FTC helped set a strong precedent not only for more strict adherence to NIST, but that they can pretty much pick apart almost any organization that doesn’t have perfect cyber security measures in place..”

See Related: Substantial NIST Revisions Eye Supply Chain, Analytics Security

Hartenstein also said that for private parties in class action lawsuits, there is more of a burden because they must prove damages. This makes it difficult to sue organizations that didn’t protect their data well, as they can claim the accessed data was not used to harm consumers.

Hartenstein said oftentimes, organizations are able to defeat initial prima facie claims and get the case dropped.

In terms of disclosure, Hartenstein said that there is some confusion over an organization’s ability to answer “yes” to whether their data is encrypted. He underscored the importance of layered security.

“Not all encryption is created equal and the media and lawyers don’t get that just yet,” Hartenstein said. “CISOs do, and some might be doing the bare minimum just to be able to say, ‘we encrypt data.’”

“My point of concern is whether you do the minimum to get class actions thrown out, or adhere to NIST…the FTC can still get you,” he concluded.

In discussing the looming GDPR measure, which could affect multinational organizations, Hartenstein pointed to the “Morrisons” case in the U.K., where the supermarket is being held vicariously liable for the actions of a rogue employee who released sensitive data. The court opined that if “Least Privilege” principles were in place, the incident should have been prevented.

“Organizations are becoming responsible for the rogue criminal acts of internal employees,” Hartenstein said, before suggesting CISOs minimize employee roles to certain data sets and privileges in identity and access management (IAM) systems, etc.

Lastly, on the glaring talent crisis or “skills gap” present in the cyber security space, Hartenstein said that universities across the country have built cyber security degrees or certificate programs into their available curriculums.

Hartenstein called it a “push at the federal level to promote cyber security research and increase the pool of cyber professionals.”

"State of the Union" will be a monthly feature on Cyber Security Hub, deconstructing policy news as it relates to the enterprise.

Sign up for the weekly Cyber Security Hub newsletter here.

Jamal Hartenstein