The scope of cybersecurity will soon include regulatory compliance. Consider the unprecedented security challenges and failures we saw in 2017:
- 145 million Americans saw their sensitive financial and personal lives become available to the highest dark web bidder because attackers discovered a well-known but unpatched Apache Struts vulnerability;
- Three billion consumer accounts compromised because a single, semi-privileged employee fell for a phishing scam;
- Hospitals and other critical infrastructure operations held hostage around the globe by the WannaCry ransomware;
- Computing endpoints and datacenters affected worldwide by Spectre and Meltdown hardware vulnerabilities.
Partly because there is no end in sight to the advancement of cyber threats, 2018 will also see significantly increased InfoSec regulatory compliance requirements. Top of mind for most in this respect is the EU’s General Data Protection Regulation. The GDPR changes the scope of InfoSec to include protecting the rights and freedoms of data subjects, not just mitigating the possibility of a data breach. Regulatory compliance with GDPR is not optional. The penalty for violation can be up to 4% of an organization’s global gross revenues or €20 million, whichever is greater – which is on top of the cost of investigating and responding to a financial institution outside criminal breach of $245 per record.
Regulatory Compliance does not stop with GDPR
Another EU regulation making waves of InfoSec is the NIS Directive which requires EU member states to enact legislation that achieves a high level of cybersecurity across network operators, critical infrastructure, and digital service providers.
The list of affected business is broadly defined to include “online marketplaces” that collect or deal with information from EU citizens. As is true with the GDPR, the NIS directive laws will impact organizations globally, regardless of where they are located. Moreover, regulatory compliance with NIS directive legislation will not be optional. The UK, for example, recently announced that not having “effective cybersecurity measures” in place could result in a fine up to £17 million.
While the EU increases regulatory compliance requirements, the US continues to republish the same agency imperatives, while others continue calling for tougher penalties for failing US regulatory compliance requirements. However muddled the federal regulators and lawmakers may be, the real pressure for US regulatory compliance is being felt at the state legislative level and from shareholder activity. 
Wherever the pressure for regulatory compliance originates, the array of IT-related risks in the CISO’s bailiwick continue to increase and become more complex. No longer can the organization limit its concern to whether an attacker can cause a buffer overflow in an application. IT risks now include the regulatory compliance issues and legal consequences of not proactively implementing “effective cybersecurity measures.”
Managing Cybersecurity and Regulations with Digital Transformation
The traditional corporate course of action is to invest significant budgetary and human resources in acquiring and maintaining responsive and defensive technologies. Defending the “trust boundary” is, after all, the easiest place to start cybersecurity efforts.
However, as each year witnesses a new bar in cybercriminal activity and sophistication, organizations need to consider how they can affect consistent security policy end-to-end throughout their organization – and whether or not said policy satisfies the increasing array of regulatory compliance requirements.
Security leaders need to ask – and objectively defend – whether their implemented security initiatives protect shareholder interests and organizational reputation. If experiencing a material breach is only a matter of “when” then it may be time to realize that responsive and defensive security technologies are not cutting the muster. It is time for organizations to implement enterprise threat modeling.
Enterprise threat modeling represents another digital transformation; and, as with other positive albeit disruptive transformations, the challenge is with knowing where to start the paradigm change. The NYDFS cybersecurity regulation, for example, codifies a shift in corporate responsibility from “breach disclosure” to “disclosure of appropriate security controls.” As such regulatory compliance requires a paradigm change from reactive to proactive, which is a great start – in theory.
In practice, though, mere regulatory compliance with the NYDFS code is not enough. The controls included explicitly in the NYDFS regulation include penetration testing, application security measures, vulnerability assessment, encryption of confidential data, and multi-factor authentication. Granted, these are important components of a holistic cybersecurity program.
However, such measures by themselves cannot secure an organization’s full cyber ecosystem – the goal to which the EU regulations and directives drive. Strong encryption, for example, may make breached information worthless to attackers, but it does little to prevent attackers from controlling the switching controls at electrical substations or stopping a DDoS attack, or preventing attackers from taking over a power plant’s cooling system.
Likewise, penetration testing can verify that security controls are encoded in critical and high-risk applications. It cannot, though, help an organization stop a phishing attack that results in the installation of a backdoor on the company’s servers, nor does it help the organization understand alternative attack paths an APT actor may choose to avoid implemented countermeasures.
Defensive and responsive technologies and processes are necessary, but they do not keep pace with the evolution of the threat and regulatory compliance landscape any more than they keep pace with a DevOps CI/CD production environment.
Enterprise Threat Modeling enables Regulatory Compliance
Enterprise threat modeling, on the other hand, provides security leaders and practitioners the role-based, proactive solution organizations need to establish “effective cybersecurity measures” as the threat and regulatory landscape changes.
Unlike its traditional, application threat modeling “little brother,” enterprise threat modeling yields the organization’s security “big picture” across the full cyber ecosystem. Not only can organizations know where their data is located, but how and for what purposes it is being used, where the open attacker opportunities exist, and who the potential attackers may be.
The fantastic part, though, is that these insights can be gained before the first line of code is written, before the cloud environment is created, or before the data center is migrated. Security requirements can be re-evaluated each time an application iterates through the CI/CD pipeline. Organization-wide policy can be dynamically analyzed throughout the deployed and legacy environment as new threats are identified or before new security initiatives are implemented.
Beyond just providing secure initial coding guidelines as does traditional application threat modeling, enterprise threat modeling helps stakeholders throughout the organization understand the full scope and breadth of IT-related risks – including risks associated with the rights and freedoms of data subjects or other proactive risk quantifications required by new regulations.
Enterprise Threat Modeling to see the Whole Risk Environment
Traditional application threat modeling is usually applied to the analysis of a single application in isolation. The scope of that perspective is similar to a home security vendor analyzing a set of blueprints to determine where to place cameras and motion detectors.
The vendor’s cameras and motion detectors are a good start to securing the new home, but cannot cover all the potential security issues. For example, what is the home’s distance from fire and police stations? This will have an impact on their response times – and on the homeowner’s insurance premiums. Furthermore, how will the homeowner secure outdoor utility access or patio furniture? Interior cameras will not dissuade neighbors from “borrowing” a little water or plugging in an extension cord.
Consider furthermore that this new house will likely not exist in isolation. It will be part of a neighborhood and part of a city. If the neighbors fail to maintain the appearance of their homes, the homeowner’s property values may be impacted. If there is a riot or fire downtown, the emergency response resources may not be available if the homeowner needs them. Again, securing the new home with interior cameras and motion detectors is a good start, but cannot address the full scope of issues the homeowner needs to consider.
Enterprise threat modeling provides real-time situational visibility into the organizations current level of security and regulatory compliance across the entire cyber ecosystem. It starts with a consideration of single applications, just like traditional threat modeling
However, as the threat model portfolio builds, security leaders have increased visibility into larger scale issues including application interactions, the impact of shared components, the downstream risks from 3rd party systems, and alternative attack paths throughout a particular environment.
Enterprise threat modeling makes it possible for CISOs to conduct dynamic “what-if” studies across their entire IT system to determine the most effective security policies and to achieve the highest ROI from security initiatives.
ThreatModeler™ for Automated Enterprise Threat Modeling
ThreatModeler™ is the industry’s #1 automated threat modeling platform, providing integration with existing toolsets and true cross-functional collaboration across all IT system stakeholders. With ThreatModeler™, organizations can:
- Automatically create threat models from Visio-like diagrams in as little as 15 minutes;
- Threat model applications, on-premises and cloud-based deployment environments, mobile devices and computing endpoints, IoT and embedded systems, and industrial control and other cyber-physical systems;
- Understand the security and associated risks across the entire cyber ecosystem, from applications on the architect’s whiteboard to legacy systems, and even non-owned, non-controlled environments such as a remote employee’s smart home;
- Quantify the ROI of planned or deployed compensating controls or security initiatives; and
- Understand the organization’s unique attacker population and the various attack paths that they may attempt.
Enterprise threat modeling with ThreatModeler™ yields the data-driven “big picture” today’s CISOs need for cybersecurity and regulatory compliance.
 Newman, Lily Hay. “Equifax Officially has No Excuse.” Wired. Conde Nast Publications: New York. September 14, 2017.
 Galligaher, Sean and Kavid Kravets. “How did Yahoo get Breached? Employee got spear phished, FBI suggests.” ARS Technica. Conde Nast Publications: New York. March 15, 2017.
 Flick, Nathaniel. “Cybersecurity Today is Treated like Accounting before Enron.” The New York Times. The New York Times Company: New York. January 8, 2018.
 Fruhlinger, Josh. “Spectre and Meltdown explained: What they are, how they work, what’s at risk.” CSO Online. CXO Media, Inc.: Framingham. January 15, 2018.
 “2017 Cost of Data Breach Study.” Ponemon Institute, LLC: Traverse City. June, 2017.
 “Government Acts to Protect Essential Services from Cyber Attack.” Press Release. Department for Digital, Culture, Media & Sport, Department for Transport, Department of Health and Social Care, Department for Business, Energy & Industrial Strategy, National Cyber Security Centre. January 28, 2018.
 Stein, Karen M. “Statement on Commission Statement and Guidance on Public Company Cybersecurity Disclosures.” Public Statement. US Securities and Exchange Commission: Washington DC. February 21, 2018.
 Cameron, Dell. “New ‘Cybersecurity Office’ Would Oversee Companies like Equifax and Dole out Fines for Slipshod Security.” Gizmodo. Gawker Media, LLC: New York. January 10, 2018.
 “Privacy and Cybersecurity Top 10 for 2018.” Sidley Austin LLP: Chicago. January 3, 2018.