Asian regulators need 'stick' in data security
SINGAPORE--As regulations that direct how organizations manage data security grow significantly in the next three to six years, governing bodies in Asia need to instill more "stick", according to a McAfee expert.
Institutions such as the region's central banks, provide "the carrot but there's not much stick yet", Stuart McClure, vice president of operations and strategy in McAfee's risk and compliance business unit, said in an interview last week. Such bodies need to "be a pain in the neck", stating that "certain things have to get done by a certain timeframe, or there will be consequences"; at the same time, the deterrents need to be exercised.
Using the United States as an example, McClure, who also founded Foundstone and co-authored Hacking Exposed: Network Security Secrets and Solutions, said a bank's bond ratings go up as an incentive for meeting requirements such as the Sarbanes-Oxley Act (SOX) or the PCI DSS (Payment Card Industry Data Security Standard). On the other hand, the bond ratings go down and a bank can get fined if it fails to comply with such standards.
"There might be some minor things that can be done, but if [the regulatory bodies] take [guidelines and control] further and extend it and make it more restrictive and prescriptive, you're going to get more security," he pointed out.
When speaking to regulators such as the Monetary Authority of Singapore, McClure points out that the likes of SOX will become more broadly adopted and globally, too. Currently, SOX is concerned around the security and health of financial systems, but there may be components from other broad-sweeping regulations that for example, lead to oversight of all IT systems.
At the same time, there will be an increasing convergence of technical regulations such as PCI DSS, with more business and financial standards such as SOX, he added. Such regulations will also become more prescriptive.
"There'll be basically two parts to the same solution of data [security]--ensure financial statements and finances in business is healthy and have your systems and networks highly available to do business," he explained.
McClure continued: "AP (Asia-Pacific) and EMEA (Europe, the Middle East and Africa) are trying to play catch-up with a lot of these requirements. They haven't been proactive because it hasn't been demanded of them.
"I'm starting to see that now so, as APAC…gets more and more regulations and compliance, the more secure it will be," he noted. "At the same time, I often caution that compliance is not equal to security. Just because you get compliant, it doesn't mean that you're secure. In fact, it usually means the opposite."
Organizations, he warned, often focus on just being compliant to regulations "as opposed to looking at the bigger picture of what needs to be done" to become more secure or immune to attacks.Breaches suffered by companies such as U.S. payment processor Heartland Payment Systems and retailer parent TJX strengthen the case that compliance is not enough, he said, as their systems were hacked within three months of being PCI-compliant.
To better prepare for the onslaught of tighter regulations, organizations need to first understand the current threats, as these will be the driving force of regulations, said McClure. Security metrics should also be built in to offer greater clarity into corporate vulnerabilities or weak passwords.
Organizations, he added, should also look at initiating "incremental top-offs", performing consistent upgrades and updates rather than a major overhaul or review.