While COVID-19 may have ground most of the world to a halt, unfortunately, we can't say the same for hackers and cybercriminals. And with the majority of economists predicting a global recession by the end of 2020, malicious actors are more eager than ever to capitalize on the chaos.
Traditionally, one of the best ways to establish the foundation of a cybersecurity program is the adoption of regulatory frameworks. The Payment Card Industry Data Security Standard, or PCI DSS, sets guidelines for payment data security. The General Data Protection Regulation (GDPR) sets the standard for data privacy in Europe. The Health Insurance Portability and Accountability Act (HIPAA) does the same for personal health care information and Defense Federal Acquisition Regulation Supplement (DFARS) for defense contractors.
But frameworks will need to evolve in the wake of the current global pandemic.
Frameworks and standards have changed significantly since I began my cybersecurity journey more than 20 years ago. Based on that experience, and the changes I see on the horizon, here are the key cybersecurity compliance trends to expect in the post-COVID landscape.
Outsourcing Compliance Will Increase
The economic climate we've been accustomed to is unprecedented if you think about it. We've had an uninterrupted bull market for the last 11 years, with relative peace and security. This is especially true in the United States and much of the Western world.
But with the current economic stoppage — and a potentially sustained downturn — organizations will be forced with some tough choices. As companies look for ways to become more cost-efficient to weather the storm, cybersecurity and compliance budgets will be put under the microscope.
What I expect to see is an increased interest in compliance outsourcing services. That doesn't necessarily mean layoffs of internal cybersecurity and compliance professionals. Rather, businesses will want to contain costs by working with third-party vendors and partners on an ongoing basis.
Fintech and payment technology companies, for instance, may choose to outsource their PCI DSS efforts with version 4.0 on the horizon. If the choice is between beefing up internal compliance staff with fixed costs or outsourcing on a flexible basis, the most cost-effective choice in the post-COVID world is working with a third party. Frameworks will need to accommodate increased outsourcing by raising the bar for third-party vetting and assessments.
Keeping Pace With New Technologies
If COVID-19 has taught us anything, it's that the future is truly faster than you think. A global pandemic has quickly jumped from the realm of science fiction into becoming our day-to-day reality. The same will be true for regulatory frameworks and how they'll adapt to emerging technologies.
Take PCI DSS 4.0 that's right around the corner. The revised framework will include provisions in their assessment model for larger-scale cloud environments because the framework needs to need to evolve the standard to accommodate rapid changes in technology.
Risk mitigation techniques need to meet the threat landscape with greater flexibility and support organizations using a broad range of controls and methods to meet security objectives. The revised frameworks will have separate tracks involving prescriptive measures for controls, authentication, encryption, monitoring and access controls. This protects cardholder data both at rest and in motion when using the cloud.
While COVID-19 is hindering most business sectors, I don't think that will be the case for the entire technology sector. If you look closely, there are still a great many new services and technologies available to help businesses succeed. But regulatory frameworks like PCI DSS, GDPR or the HIPAA are already slightly behind the technology curve.
What is already happening is that regulatory bodies are relying on compliance assessors to come up with custom controls for technology environments not addressed in current regulations. That will make it even more important for businesses and organizations to select and work with the right compliance assessor, regardless of industry or framework.
Pursuing International Compliance Collaboration
The capacity for global cooperation is being stretched to its limits by the COVID-19 crisis. Tomorrow's cyberthreat landscape will likely do the same, with hackers and cybercriminals that are truly borderless. That's why data security and governance needs to be more international.
What we need are more globally recognized cybersecurity frameworks that are standardized across the board and, more importantly, international enforcement that can tear down the border when it comes to catching and prosecuting cybercriminals. This is already happening to a certain extent, with GDPR being a prime example. The key will be generating compliance frameworks that are actually enforceable across borders.
International regulatory frameworks will also need to consider that cybercrime incentives may bend even further toward the side of hackers. If we do enter a global recession with scarce financial resources, more people will be attracted to cybercrime. Not to mention existing hackers becoming more aggressive than ever to capitalize on COVID-19 uncertainty.
Even if the global economy stalls, bad guys simply won't slow down. Businesses should look toward compliance frameworks to potentially initiate a cybersecurity program to get them through any potential downturn. They should seek out qualified third parties and vendors to help them comply with regulations like PCI DSS or HIPAA. Once the pandemic subsidies — and it will at some point — expect to see a more international approach to data security and fraud prevention frameworks.
