{"id":98444,"date":"2019-05-06T06:00:58","date_gmt":"2019-05-06T13:00:58","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=98444"},"modified":"2019-05-06T15:24:17","modified_gmt":"2019-05-06T22:24:17","slug":"using-legislation-advantage","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2019\/05\/using-legislation-advantage\/","title":{"rendered":"Using Legislation to Your Advantage"},"content":{"rendered":"<h4><em><strong>Why regulation may not be the inhibitor you think to evolving your cybersecurity.<\/strong><\/em><\/h4>\n<p>&nbsp;<\/p>\n<p>A while back, I remember chatting with some fellow researchers about how, one day, there would be more lawyers than cybersecurity experts, as the definition of what is commercial remote administration software versus malicious backdoor software was in debate. Thankfully, that reality hasn\u2019t come to pass. However, in an increasingly regulated society, we have seen a raft of new requirements come into force impacting cybersecurity and digital activities generally, such as GDPR (General Data Protection Regulation), NISD (Network and Information Security Directive), and PSD2 (Payment Services Directive version 2), all in the EU, CCPA (California Consumer Privacy Act) in the U.S., just to name a few.\u00a0 There are many others in existence, and more on the way around the globe.<\/p>\n<p>All these laws carry one common theme: how to enable an increasingly digital society to be safer, which is, I\u2019m proud to say, close to our own company\u2019s mission statement \u201cto protect our way of life in the digital age by preventing successful cyberattacks,\u201d thereby creating a world where each day is safer and more secure than the last.<\/p>\n<p>My concern, however, is that often I hear security experts talking about why they can\u2019t do what they need to as a result of some of the above new regulations. For example, they can\u2019t put my security data in the cloud due to GDPR concerns. This, by the way, simply isn\u2019t true.\u00a0 GDPR\u2019s Recital 49 states the following, which, in laymen\u2019s terms, validates that cybersecurity is there to help protect personal data and recognises that it is legal to process personal data for the purpose of security, provided companies maintain limited use and proportionality.<\/p>\n<p>&nbsp;<\/p>\n<p><em>\u201cThe processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping \u2018denial of service\u2019 attacks and damage to computer and electronic communication systems.\u201d<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Even though I\u2019m not a lawyer and mine is not legal advice, GDPR does not, in any way, appear to suggest we shouldn\u2019t use new security capabilities, be they cloud or any other, to make cybersecurity better tomorrow than it is today.<\/p>\n<p>Typically, cybersecurity regulation is focused on raising cybersecurity capabilities and adding in consistency, the latter being a very tough challenge in a space that is so dynamic. This is why so much of the new legislation uses quite abstract terms, such as \u201csecurity by design and default\u201d and \u201ctaking into account the \u00a0state of the art\u201d. Legislation quite simply doesn\u2019t change at the same pace as technology innovation; fortunately, regulators understand that.<\/p>\n<p>As such my challenge is simple. It\u2019s easy to use regulation as a reason NOT to do something new or different, yet truly that\u2019s not the purpose of the laws. New legislation aims to push us to raise our game, help make each day safer that the last. Look at how new legislation empowers you to do so. Don\u2019t get caught up in the speculation and urban myths of what you can\u2019t do, but instead check the facts, seek your own legal guidance, and leverage new regulations to raise the bar of your own capabilities. Evolution happens at pace in cybersecurity, and we must continue to challenge ourselves every day as to how we play our own role in making each day safer than the last through innovation.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why regulation may not be the inhibitor you think to evolving your cybersecurity. &nbsp; A while back, I remember chatting with some fellow researchers about how, one day, there would be more &hellip;<\/p>\n","protected":false},"author":150,"featured_media":60781,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1766,484,6769],"tags":[6766,2684,6767],"coauthors":[1466],"class_list":["post-98444","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cso-perspective","category-government","category-public-sector","tag-cso-perspectives","tag-gdpr","tag-recital-49"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/01\/social-graphic-temp-Sept-EP-GD-Linkedin-698x400.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=98444"}],"version-history":[{"count":2,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98444\/revisions"}],"predecessor-version":[{"id":98446,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98444\/revisions\/98446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/60781"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=98444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=98444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=98444"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=98444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}