In my last column, I made the point that the regulatory model is broken as there is little or no consideration to how people work, the technology involved and too much leeway given in some instances - like the BA breach.

Here is the other part of the conversation in the broken regulatory model: the UK government hasn't allocated the money to the regulatory bodies to hurt anyone. We only hear about a regulatory investigation when a complaint is made or when an organization has suffered a data breach.

Consider operational technology - every national critical infrastructure company will never be compliant to every single facet of the policies and best practices that are being pushed out. Why? Because a legacy tech stack exists.

Let's look at PCI DSS. It's a great example, as it says basically there are password length and complexity requirements that you have to do, there's no wiggle room on that, but many companies are running legacy tech in the same network that PCI DSS data will be processed - and you can't do a more than eight character password, you can’t do anything other than a lower and uppercase because the systems don't accept that.

In a lot of cases, those are business-critical billing and operation systems that have existed since the 90s or even the 2000s. Potentially these cannot be patched, or they may be out of vendor support, or the operating system is out of vendor support and even more likely, the data exchange mechanism is from the early days of the internet,

So, where does it leave you as a national critical infrastructure provider? It leaves you in this precarious place where you must justify the lack investment from the business in the legacy tech stack and basically plead your case and say, ‘we have these things, they're out there, they're exposed, but honestly we don't have the millions of dollars it would take to bring these things up to the current state of regulatory compliance’.

GDPR is also where we are struggling. It had exactly one paragraph on how you should protect sensitive data in your organization. It was not prescriptive; it basically says you should use encryption. It didn't tell you what kind of encryption, or to what level that encryption needs to take place.

So, companies went forward into the marketplace and basically said, ‘we have all the sensitive data, we get it, we're encrypting it, okay?’. It was OK until it was not OK, and never had an inkling of that they were in violation of GDPR until they were breached, and then there's an investigation.

Here is a great example of compliance vs operational reality. ‘Data Encryption at Rest- yes, but if we go deeper and find ‘Decryption Key in Text file along with credentials on Desktop?’, then we need to ask compliance questions about the effectiveness of the data encryption and set aggressive audit standards, as without those you get the above “shortcut” which is effectively no Data Encryption at Rest.

As for the bad publicity, that certainly happens when it all comes out in a FOIA request or class action court filings which then can be leveraged by the regulator - if they are so inclined and the case is in the public interest - to move forward with issuing a whopping threat of a fine.

So how do you hold an organization accountable to a situation where they are following the basic cybersecurity frameworks: Cyber Essentials, ISO 27001, NIST 800, and did everything they were taught to do, but still got breached and now going to get fined? It makes no sense!

What I'm calling for and what I'm passionate about is a reasonable approach to cybersecurity here. We can determine that the organization made a best effort, that they got above a red line, whatever that line is. That they spent enough money based on their annual revenue or they've invested enough where we can say they were not negligent, they were a victim of a sophisticated cybersecurity attack that breached your defense.

Prove the fact that you made the effort, and I will be sympathetic. Lie about it and I will pray for your immortal soul.

Ian Thornton-Trump CISO Cyjax