In the information age, data is the most valuable asset, making it a target for criminals. As organizations handling confidential and personal information continue to grow, governments globally have started to regulate how data is classified and what measures enterprises need to take to secure it from bad actors. This has resulted in increased pressure on businesses to diligently maintain regulatory compliance or risk heavy fines and lawsuits.
“It’s the reality we’re living, and we have to continue living in it, and we have to prepare ourselves so we can provide that information to our data officers and compliance officers at any time,” Amer Deeba told the Information Security Media Group. It was an excellent question for the CEO and co-founder of Normalyze, a cybersecurity company whose platform helps users secure sensitive data in multicloud environments.
In 2023, the National Cybersecurity Strategy Implementation Plan was introduced by the Biden administration in the United States. It lists 65 federal initiatives to combat cybercrimes so that the U.S. can develop a resilient cyber workforce and strengthen its digital economy. According to the NCSIP fact sheet shared on the White House website, each NCSIP initiative will be assigned to a responsible agency with a stipulated timeline for completion.
The policy marks a significant shift in attitude on two fronts. First, it increases the burden of cybercrime risk mitigation on the biggest and strongest entities, public or private. And second, it incentivizes long-term investments in the cybersecurity sector. The five key pillars of the NCSIP are as follows:
- Defending critical infrastructure: NCSIP encourages interagency and public-private partnerships in combating cybercrime and protecting critical infrastructure.
- Disrupting and dismantling threat actors: It reinforces the role of the Joint Ransomware Task Force, a team led by the FBI and the Cybersecurity & Infrastructure Security Agency, to neutralize cybercriminals and threats.
- Shaping market forces and driving security and resilience: The policy encourages software transparency and urges market actors to hold their vendors accountable for implementing secure development practices.
- Investing in a resilient future: It establishes technical standards as foundational to the internet to ensure the security of cyberspace.
- Forging international partnerships to pursue shared goals: The policy also acknowledges the global nature of cyberspace and consequently, encourages close collaboration with partners to ensure safety in cyberspace.
Emphasis on Cloud Security
The proliferation of cloud storage services has led to it being recognized as a threat; therefore, the policy emphasizes the protection of digital infrastructure. Major cloud service providers (Amazon, Google, and Microsoft) are now obligated to enact adequate protections for the data stored on their servers.
Cloud storage isn’t inherently bad. To the contrary, it’s very cost-effective. However, it does create security issues. According to a study by the Enterprise Strategy Group, “Data is shifting to public clouds ahead of organizational readiness to secure it.” Such a situation creates a dire need for enhanced cloud data security.
Impacts and Opportunities
The implementation of the NCSIP creates a host of impacts and opportunities that are worth discussing. These have been highlighted below:
— Compliance costs: Complying with NCSIP will require companies to invest in employee training, regular audits, and updated security infrastructure.
— Legal and financial consequences: Failing to adhere to new regulations can result in heavy fines, lawsuits, monetary losses, and even reputational damages coupled with loss of revenue and customers.
— Operational changes: Organizations may have to redesign their services, products, or business models to comply with the NCSIP. They may also have to reassess their data processing and storage policies.
— Increased competition: The new policy has competitive implications because it risks reducing the competitive edge of organizations unable to adapt to the changing regulatory landscape. However, it also presents an opportunity for organizations to grow should they successfully implement the NCSIP.
— Cross-border data transfer: Organizations will have to revisit their data-sharing policies because the NCSIP seeks to regulate how organizations share their data, especially in cases of cross-border data transfer.
— Public-private partnerships: Enterprises will have to collaborate with government agencies like the National Institute of Standards and Technology to stay updated on the evolving regulatory landscape.
— Increased public trust: Concerns that successfully implement the NCSIP will earn the trust of their clients and benefit from increased customer loyalty and a positive brand image.
“I think it is a good thing for information security because it helps bring the rigor and make organizations look for that visibility and bring that control back so they can see where things are and how to secure it,” said Amer Deeba.
Deeba’s agentless cloud security platform helps organizations scan for data across multiple cloud services, classifies it based on its sensitivity, and alerts them if their data is at risk. It’s also a great tool for ensuring regulatory compliance. He noted, “We have to prepare ourselves so we can provide that data and that information to our data officers and compliance officers at any time. So taking that step back and looking at things that way and preparing for it is the right way to go.”