Innovation is key to ensuring that technology’s best tools for consumers get even better, but that progress could be stymied by some of the industry’s most stringent regulations. To understand how a new approach to regulation could speed up innovation while still ensuring cyber and information security for consumers, we spoke to Anil Karmel, CEO of C2 Labs.
ABERMAN: Well, I hear that this is an issue, but why is compliance such an issue for so many CEOs?
KARMEL: Well, the reality is, heavily regulated industries have to adhere to multiple conflicting security requirements. Things like NIST 853, PCI, DSS, HIPAA, ISO 27001, the list goes on and on, just starting there.
ABERMAN: Those are all acronyms, and oh my god, I’m a CEO and my head started to hurt. So don’t I, first of all, have to understand what those things actually relate to?
KARMEL: The reality is, based on your business, you have a multitude of requirements that you are required to adhere to to do business. If you don’t adhere to these requirements, you actually get penalties and fines and could potentially be shut down.
ABERMAN: So this is really, what you’re getting at is that there are legal requirements there that can create financial liabilities, so businesses have to be aware of them. I’m a CEO and I’m sitting here, I know that I exist in an environment where these are standards. How do I choose as a CEO which ones to follow?
KARMEL: So, it’s not so much a choice that you can make. It is a choice that is made for you. So, and that is a result of the type of business that you’re in. For example, if you are a health care provider, and you accept credit cards, that makes you required to comply with PCI DSS. You also have HIPAA compliance, because you are storing electronic health records.
ABERMAN: We’re in an environment now where so many people are concerned about privacy. This is only going to create more regulation, right? I mean, are you hearing from your clients that they’re already overwhelmed and they’re literally almost sitting in their forts watching the grenades come over the wall, saying, how could it possibly get worse?
KARMEL: So that’s literally the environment in which we live. How do we, as organizations, try to modernize security to move at the speed of business, and adhere to these multiple, in some cases conflicting, compliance requirements, finding the right balance between security, privacy, and functionality?
ABERMAN: OK. So, I’m overwhelmed. I’ve got all these different things. I would assume that the lawyers are going to tell me what I have to do, and the answer is going to be everything. So, how do I look at cybersecurity as a business through that prism, and not get overwhelmed with just buying stuff I don’t need, or not buying this stuff I do need?
KARMEL: So, what happens in most industries is, you have new technology that you bring to bear to solve a fundamental business problem, and then you have to employ security processes and procedures to support this technology, and ensure that compliance with the standards, based on, again, your business. Eventually, what ends up happening is, the security processes supersede the technology, and it brings your modernization to a complete crawl.
ABERMAN: So, give me an example of what you’re getting at.
KARMEL: Yeah. So, as you bring in a new information system, you have to, let’s say, make a change, update a module of this information system. To ensure that that information system is compliant with PCI, with payment card industry, or HIPAA, you have to ensure that there’s a certain set of controls that are employed for that new module.
Those policies and procedures have to be updated, and the certification and accreditation package needs to be updated to ensure that the paper that you’ve created for the auditors to validate that your system is compliant, is correct, and adheres to what that information system actually is doing. Now, here’s the big problem. Information systems change over time, compliance paperwork doesn’t keep up at all with the actual information system. Therein lies the rub. What we need is a new model to rethink how we employ security.
ABERMAN: So, in effect, what you’re advocating for are technology solutions that ultimately create the compliance trail, but ultimately have almost open APIs, open systems, so that whatever system you’re using, you get to the same output?
KARMEL: To a degree, not so much. It’s moreso the fact that today, we implement our systems, then we create the certification and accreditation requirements around those systems, and then we attest that those systems are indeed compliant against the certification accreditation package that we’ve created. The problem with that current model is, our systems change, the C&A packages, the certification accreditation packages, don’t keep up with the changes in the system. If there’s a compromise in that system, it brings in auditors, and you end up in this morass that you just can’t get out of.
ABERMAN: So in effect, what I’m hearing is that, I’m a CEO, I’m overwhelmed. Current cybersecurity technologies, in various ways, will tell me they’re solving the problem, ultimately they’re going to create their own compliance pathway. It sounds like a complete mess.
And maybe that’s why I hear from so many CEOs: I know there are thousands of solutions out there. How do I pick which one, and how do I show that they actually work? This sounds to me like a really complicated problem. I’m gonna get a headache just thinking about it. Is it really too much for people to keep up with?
KARMEL: It really is. And therein lies the rub. It has come to a point where it is too much to keep up with. So, we need to do two things. One: we need to create a set of win-win incentives in the industry to accelerate progress. So, all sides see the benefit, and we build partnerships instead of battlegrounds, where we make security the reason to modernize systems and move to cloud based systems, as opposed to the impediment.
Now, the way we do that is, we talked about before, we first implement systems, then we accredit them, and then we assess them. In the vein of rethinking security, We should certify systems, then implement, and then assess those systems, something we can think of as continuous contextual assurance.
ABERMAN: So, how do we certify something we haven’t deployed yet, though?
KARMEL: So, that model is defining what those security controls are first, implementing those security controls in the information system, and then assessing the efficacy of those controls to ensure your compliance package is up to date, and that you’re meeting not just the audit trail that’s required and the certification and accreditation components that are required to make sure your system is modern, but now when these new modules come to bear, you’re not trying to figure out, how do I ensure that my system is compliant? Because you started with the certification process.
ABERMAN: In other words, I make the software work for me, instead of me working for the software?
KARMEL: That’s exactly right.
ABERMAN: Well, Anil, I think that’s a really interesting paradigm, and I’m sure a lot of CEOs will be really interested in hearing how you at C2 Labs and another others in town are going to demystify a problem that we all have to solve. And God knows their liabilities will be down. So, thanks for joining us today.