Regulatory Compliance – holding security back or forcing reassessment?

A recent survey conducted by IBM and Censuswide of the UK market explored some of the drivers for modernisation and revealed some interesting challenges that organisations currently face as more and more businesses expand their digital boundaries. The most interesting finding was the that one of the drivers for modernisation (according to 28% of participants in the survey) was “Changing industry regulations” whilst regulatory compliance was also perceived to be holding organisations back with a whopping 44.8% agreeing with this point.

In a previous blog post, I talked about how regulation was, and indeed should be, driving change as well as the need for companies to get ahead of new rules. But whilst I champion thinking ahead about compliance, I do appreciate (having been actively working in IT security for many years now) that regulation is all too often seen as a force that has positive and negative impacts on security and IT operations in general, often simultaneously driving up standards whilst slowing down the adoption of new technologies.

Security and related controls are all too often seen as a barrier for fast and positive change in the world of business – indeed I know many who think that every-day physical security checks at the airport, or entering a building are unnecessarily draconian. But I think such positions are often informed by several cognitive biases that are easy to fall into which are worth exploring in some detail to see if we can at least understand why regulation can be seen as a two-headed beast. 

Anchoring biases – how early exposure to requirements can bias us

Consider, for example, Anchoring Bias – the idea that we tend to rely too heavily on one piece of information when making decisions. For many, passwords are considered practical and secure ways to log in, but many have not revised their definitions of what a good password looks like or considered two factor authentication. Sometimes this comes from a position of not being exposed to the latest security research. Indeed, for those outside of IT security this is easy to understand, but for others, it can simply come down to their first exposure to “securing” something. When many got started with computing, adding a password to a file or computer login prevented others from gaining access and, as a result many saw this as a practical security measure. However, few consider the bigger picture of more connected and mobile devices, which changes access levels and thus the potency of passwords significantly.

More information is key to battling anchoring bias, but delivery of this information over and over won’t necessarily “up-anchor” a belief. Instead, we need to consider how to shift the original belief, replace it with new and accurate information, and, more importantly, make the process easy. Two factor authentication and password vaults are significantly easier than recalling passwords or dealing with a personal security breach, but rarely do I hear people focus on how these security measures make things easier as well as more secure. As a result, people may still find themselves anchored to the original idea that passwords might be enough in a world where that is becoming increasingly untrue.

Normalcy Biases – planning for disasters never sounds like fun

Alternatively, you might want to think about the concept commonly known as Normalcy Bias. This is a type of bias that means we refuse to plan for or indeed react to a disaster that has never happened before. This type of bias may impact how we think about a new regulation and its associated security controls. Regulations often focus on getting behaviours in place to prevent problems which haven’t happened or indeed might never happen.   This type of future-thought doesn’t make sense to those suffering from normalcy bias. Biased thinking here results in some making assumptions about how things don’t change in the world.  This mind set can be incredibly perilous. Regulations in particular are almost always based upon the lessons learnt from previous incidents that have hit the real world not just once, but many times, and, as such, assuming that things will continue as they are doesn’t make a lot of sense.

Making people understand how things are changing in the IT world then can be key. In my experience, most already assume that change is a constant but can fail to spot how they unevenly apply this change. They may consider how computing power becomes faster and more efficient, but not how much faster a password could be discovered as a result. So, beating normalcy bias for IT security can involve teasing out the idea that greater processing power introduces greater risk, and mitigations for such risks needs to keep pace, as tomorrow’s security threat might not be the same as today’s.

Change, Regulations, and Modifying our view on Regulatory requirements

The IBM survey highlights that most respondents (covering the financial, telecoms and public sector) fully understand that failure to deliver on digital transformation results in an increased security risk.  34.3% rate this as a consequence, the second highest concern overall shared by those questioned in the survey.  As a result, it’s important that those driving these changes should be aware of the mental biases that can cause reluctance to adopt better security practices and instead work out how best to embrace the benefits of compliance with regulation in IT security.

With an awareness of the speed of change in IT and an understanding of where security needs to be on the journey, my hope is that many more companies come to believe that regulatory change can in fact be a positive source of change and that future surveys reveal compliance as more of a boon and less of a challenge.