We live in confusing times
Unfortunately, the solutions put in place to mitigate these cyber risks are often just muddying the waters.
“First, and with the best of intent, governments and organizations have created laws, certifications, and requirements to protect payments, personal data, privacy, and communication,” explains Gerg. These regulations are typically a hodgepodge of letters and numbers that mean little to the average observer — things like PCI-DSS, PCI-DSS, PCI-3DS, PA-DSS, P2PE, AICPA Trust Services Criteria, FedRAMP, GLBA, Sarbanes-Oxley, FISMA, FERPA, GDPR, PIPEDA, CCPA, HIPAA, SSAE-16, SAS-70, SOC2 Type x, and more.
“Very often these laws and requirements do not account for the real-world technical challenges, edge conditions, interpretation, and applicability,” Gerg says. “Add on top of that a myriad of best practice frameworks, each written differently, written to fit a specific law or requirement, written to address the needs of a particular industry, or written to try to address every possible organization or situation.”
Further adding to the confusion are the multitude of businesses selling cybersecurity solutions claiming to remedy a company’s vulnerabilities, when most only address the tip of the iceberg, if anything at all. “Gap analysis, risk scores, audit readiness, monitoring tools, management tools, antivirus, antimalware, anti-spam, encryption, authentication and authorization tools, the cloud — each of them expounding on how they are built on proven technologies, or that they are better because they are new and disruptive,” says Gerg. “What results is what we call the ‘whack-a-mole’ scenario: multiple point solutions that each cost money, take time to manage, and provide questionable benefit when taking the complexity — and IT department’s limited availability — into account.
“And did I mention that there’s a shortage of qualified information security professionals, despite many [people] claiming that they are experts?”