Happy birthday Notifiable Data Breaches Scheme. How have you performed?

A year ago today, Australian businesses became subject to a mandatory data breach reporting scheme. Angst and anticipation came with its introduction – angst for the disruption it might have on unprepared businesses and anticipation of the positive impact it would have for privacy.

Twelve months on, consumers are arguably more troubled about the lack of safeguards for privacy, while businesses face the prospect of further regulation and oversight. Without a fundamental shift in how privacy is addressed, the cycle of heightened concern followed by further regulation looks set to continue.

It would be folly to pin all our problems on the Notifiable Data Breaches (NDB) scheme. Some of the headline events that exacerbated community privacy concerns in the past year fell outside its remit. The Facebook / Cambridge Analytica scandal stands out as a striking example.

The NDB scheme has also made its mark. For one, it has heralded a more transparent view of the state of breaches. More than 800 data breaches have been reported in the first year of the scheme.

The data also tells us more about how breaches are happening. Malicious attacks are behind the majority of breaches, though humans play a substantial role. Not only do about a third of breaches involve a human error, such as sending a customer’s personal information to the wrong person, but a large portion of malicious attacks directly involve human factors such as convincing someone to give away their password.

And for the most part, businesses got on with the task of complying. In many organisations, the dialogue has shifted from preventing breaches to being well prepared to manage and respond to them. This is a fundamentally positive outcome – as data collection grows and cyber threats get more pernicious, breaches will become more likely and businesses, as they do with the risk of fire, ought to have plans and drills to respond effectively.

And still, the jury is out on whether consumers feel more protected. Despite the number of data breach notifications in the past year, events suggest it would be difficult to say transparency alone had improved the way businesses handle personal information.

The sufficiency of our legislative regime is an open question. The ACCC is signalling it will play a stronger role in privacy, beginning with recommending a strengthening of protections under the Privacy Act. Last May, the Senate also passed a motion to bring Australia’s privacy regime in line with Europe’s General Data Protection Regulation (GDPR), a much more stringent and far-reaching set of protections.

Australian businesses ought not be surprised. The Senate’s intent aligns to what is occurring internationally. In the US, where Facebook’s repeated breaches have catalysed the public and polity, moves are afoot towards new federal privacy legislation. States like California have already brought in GDPR-like legislation, while Asian countries are similarly strengthening their data protection regimes. With digital protections sharpening as a public concern, a federal election in Australia this year further adds to the possibility of a strengthened approach to privacy by authorities.

Businesses will want to free themselves of chasing the tail of compliance to an ever-moving regulatory landscape. Given the public focus on issues of trust, privacy also emerges as a potential competitive differentiator.

A more proactive and embedded approach to privacy addresses both these outcomes. Privacy by design is emerging as a growing discipline by which privacy practices are embedded at an early stage. In short, with privacy in mind at an early stage, new business initiatives can be designed to meet privacy requirements before they are locked into a particular course of action.

We also need to look to the horizon, and it’s not as far away as we think. Artificial intelligence (AI) is already pressing deep within many organisations, and raises fundamental questions about whether current day privacy approaches are sufficient. AI represents a paradigm shift that challenges our ability to know in advance why we are collecting data and how we intend to use it.

And so, while new laws introduced in the past 12 months were a major step forward in the collective journey to better privacy, in many ways the conversation is just starting.

The difference between NIST CSF maturity and managing cyber risk

Yesterday marked the fifth anniversary of what we here at elevenM think is the best cyber security framework in the world, the NIST Cybersecurity Framework (CSF). While we could be writing about how helpful the framework has been in mapping current and desired cyber capabilities or prioritising investment, we thought it important to tackle a problem we are seeing more and more with the CSF: The use of the CSF as an empirical measurement of an organisation’s cyber risk posture.

Use versus intention

Let’s start with a quick fact. The CSF was never designed to provide a quantitative measurement of cyber risk mitigation. Instead, it was designed as a capability guide. A tool to help organisations map out their current cyber capability to a set of capabilities which NIST consider to be best practice.

NIST CSF ’Maturity’

Over the past five years, consultancies and cyber security teams have used the CSF as a way to demonstrate to those not familiar with cyber capabilities, that they have the right ones in place. Most have done this by assigning a maturity score to each subcategory of the CSF. Just to be clear, we consider a NIST CSF maturity assessment to be a worthwhile exercise. We have even built a platform to help our clients to do just that. What we do not support however, is the use of maturity ratings as a measurement of cyber risk mitigation.

NIST CSF versus NIST 800-53

This is where the devil truly is in the detail. For those unfamiliar, NIST CSF maturity is measured using a set maturity statements (note that NIST have never produced their own so most organisations or consultancies have developed proprietary statements: elevenM included) against the Capability Maturity Model (CMM). As you can therefore imagine, the assessment that would be performed to determine one maturity level against another is often highly subjective, usually via interview and document review. In addition to this, these maturity statements do not address the specific cyber threats or risks to the organisation but are designed to determine if the organisation has the capability in place.

NIST 800-53 on the other hand is NIST’s cyber security controls library. A set of best practice controls which can be formally assessed for both design and operating effectiveness as part of an assurance program. Not subjective, rather an empirical and evidence-based assessment that can be aligned to the CSF (NIST has provided this mapping) or aligned to a specific organisational threat. Do you see what we are getting at here?

Which is the correct approach?

Like most things, it depends on your objective. If you want to demonstrate to those unfamiliar with cyber operations that you have considered all that you should, or if you want to build a capability, CSF is the way to go. (Noting that doing the CSF maturity assessment without assessing the underlying controls limits the amount of trust stakeholders can place on the maturity rating)

If however, you want to demonstrate that you are actively managing the cyber risk of your organisation, we advise our clients to assess the design and operating effectiveness of their cyber security controls. How do you know if you have the right controls to manage the cyber risks your organisation faces? We will get to that soon. Stay tuned.