By John Spiegel, Director of Strategy, Axis Security

Something's gotta give...  Despite the ever-increasing sums of money the enterprise is pouring into security (estimated at $150 Billion per year), the costs of harm and damage due to cyber-attacks are expected to grow to 10.5 Trillion by 2025 according to a recent research paper by McKinsey.  This is a 300% increase since 2015.  To address the challenge, the enterprise leaders either need to get serious about cyber or as Kevin McDonald, the COO and CISO Of Alvaka Networks recently said in a CRN article, "We're trying to show the government that we as an industry can get it together on our own and that they need to stay out of it," he said. "They are warning us. If we don't get our house in order, they're going to send a house cleaner and we're not going to like it." 

And the regulators are coming.  At least 45 states including Colorado, California, and New York are introducing new legislation to address the growing threat to the economy and governmental agencies.  While many of them are focused on protecting critical personal identified information (PII), others are calling for a new approach to security.  Two examples of this are the Biden Executive Order on Zero Trust for the Federal Government and a recently proposed amendment by the New York Department of Financial Services (NY DFS).  Of these two, the NY DFS proposed update will be the more impactful. 

Originally intended as an update to its cybersecurity regulations instituted in 2017, the newly proposed amendment gives us a glimpse into what the enterprise will likely see in the near future.  NY DFS regulates all insurance companies, banks, and other regulated financial services institutions-including agencies and branches of non-US banks licensed in the state of New York.  Meaning, if you are a national company that operates in New York state, in order to conduct business, you must play by the rules set forth by the NY DFS.  As New York state is the world's 10 largest economy, these newly proposed rules will significantly impact both national and international companies operating in New York.  Why are the new rules important?  In November, NY DFS adjusted the proposed amendment to address the growing impact of ransomware.  The twist is, the language became prescriptive.  

Callouts include risk assessments, audits, access controls, inventory and vulnerability scanning, risk-based authentication, privileged access controls, BCDR compliance, governance rules, notification of breach rules, and most notability, a requirement that both the CEO and CISO sign off on attestations that their company is in full compliance.  What if the company does not heed the new rules or falsifies compliance documents?  The company, the CEO as well as the CISO will face fines, and legal jeopardy and their license to operate may be revoked.  One other note to include here.  The new amendment expands the scope to independent agents.  If corporate data can be accessed, the agent is in scope for compliance.  This is significant as corporate security must now account for the state of an independent entity.  The barrier has definitely been raised!!

What are the recommendations for companies being impacted by the new NY DFS regulation?  Start getting serious about your security program! It is no longer enough to check the boxes on compliance. That ship has passed.  Security must become part of the fabric of the business.  It can no longer be an IT issue.  That said, if you read between the lines, what NY DFS is targeting are the easy paths into companies.  Meaning remote access and to be more specific, legacy technologies like remote access VPNs and VDIs.  Both place devices directly on the network and allow the bad cyber actor a foothold into the organization.  From there, the bad guys can recon the company, find the valuable assets and either remove or ransom them for gain.  This is where new access frameworks like Secure Access Security Edge (SASE) and Security Service Edge (SSE) can help. 

Both SASE and SSE take the stance that a device and the employee or contractor operating it should not be allowed directly on the network.  Additionally, both operate on the principle of least privilege.  Taken together, the challenges presented by legacy remote access solutions are resolved and cyber risk is greatly reduced.  SASE and SSE can also meaningfully address other aspects presented by NY DFS.  These include privileged access, inventory requirements, and critically risk-based authentication.  And for the cherry on the top, because many of the solutions on the marketplace allow you to consolidate point security and network solutions, the ROI is fairly quick, sub 8 months in most cases. 

If you are impacted by NY DFS or several of the new regulations which are beginning to make their way through the legislative process, reach out.  I am more than happy to discuss how moving to a SASE or SSE framework can help you improve your cybersecurity posture, make compliance simpler and critically, and do it at a lower price point. 

##

ABOUT THE AUTHOR

John Spiegel, Director of Strategy, Axis

John Spiegel has 25 years of experience running global networks and managing infrastructure. He is an industry pioneer in software defined networking (SDN) and software defined WANs (SD-WAN). John has spoken on the topic network transformation at industry conferences such as Gartner, InterOp, VMWorld, Palo Alto Networks Ignite as well as executive roundtable discussions. He has also been a customer advisor to companies like VMware, Palo Alto Networks and Cisco Systems. Disruptive startups have also leveraged John's knowledge to bring products to market resulting in successful exits. When not helping companies on their journey to modernize and secure their networks, John can be found cycling on the backroads of Oregon.