Cybersecurity’s regulatory reckoning is here


Cybersecurity is no longer a pure technical challenge. It’s a boardroom imperative. Here’s what it means for you.

Early optimism that organisations would self-regulate cybersecurity has given way to reality.

“Nation states hoped corporations would manage their own security programs without needing regulations,” says Kris Lovejoy, an internationally recognised leader in cybersecurity and privacy.

“They’ve realised hope is not a strategy,” she says.

A surge in high-profile data breaches and cyber-attacks has triggered a wave of legislation that will overhaul cybersecurity rules worldwide in 2024.

The US Securities and Exchange Commission and the European Union have set stringent requirements that companies disclose their risks and adverse incidents. Australia is rolling out legislation aimed at protecting critical infrastructure that will also include mandatory incident reporting.

This legal wave is shifting the burden of responsibility for cybersecurity and data protection
to companies and decision-makers.

Boardroom trade-offs

As the global leader of security and resiliency at Kyndryl, the world’s largest provider of IT infrastructure services, Kris Lovejoy has stewarded cybersecurity during the turbulent years of digital transformation.

“I’ve worked in this field for 30 years, and I can tell you, there are three reasons why people invest in security and resiliency.

“The number one reason is compliance. If there are government regulations, organisations will do something to meet those requirements. The second reason is crisis. If an organisation has had a crisis like a ransomware event, they’re going to invest to make sure it doesn’t happen again.

“The third reason is foresight. That is, a decision-maker realises this is a real issue, and they force the organisation to exercise control over that risk.”

Too often, organisations fail to invest in cyber resiliency until a crisis forces them to. This has
led to a patchwork of reactive solutions that are quick, cheap, and short-sighted.

The shift towards regulation marks a critical juncture in cyber governance, where a laissez-faire approach is replaced by a prescriptive one.

Kris Lovejoy.

“Governments thought companies would protect their digital infrastructure because
it was reasonable, the market required it, and consumers wanted it,” says Lovejoy.

“But the reality is, if a company is faced with an investment decision between a new capability that generates revenue versus security infrastructure, they choose the former.”

Precarious reality

The COVID-19 pandemic turbocharged digital transformation. It also made the world more vulnerable to cyber threats. As companies rushed to digitise, many overlooked foundational cybersecurity controls.

“Digital transformation without considering security as part of the build is like manufacturing a car and forgetting about the seatbelts,” says Lovejoy.

Kyndryl manages the heart and lungs of the world’s mission-critical systems, delivering IT infrastructure for every industry – banking and finance, energy, manufacturing, and retail to education, aviation as well as state and federal government.

This gives it powerful insights into the realities of global security and resiliency.

Lovejoy says the number one risk is legacy systems, with a staggering 40-60% of critical infrastructure assets no longer under service.

“Consider that. We’re managing most of the world’s most critical infrastructure systems, and we know that about half of them are no longer being supported by the vendor.”

The exposure of these systems to cyber-attacks is self-evident: an alarming 92% of the world’s corporations have experienced some sort of adverse event that compromised or disrupted
their IT systems in the past couple of years.

These are “terrifying statistics”, Lovejoy says.

Awake at night

Lovejoy is broadly optimistic about the incoming legislative changes. In particular, the risk-based approach demands different obligations from companies with varying levels of exposure across the development lifecycle.

But she is concerned that a resurgence of nationalism in 2024 will obstruct the headway that has been made. “That’s the thing that keeps me up at night,” she says.

A “Balkanisation” of cyber laws would force corporations to navigate a maze of competing regulations. Mandates for local data processing will handicap countries with poorer capabilities.

While large companies with more resources can probably grapple with these complexities, “medium-sized organisations are the weakest link,” says Lovejoy.

Entrepreneurs, venture capitalists and private equity firms must also play a role. “They have an obligation to ensure that their portfolio companies are doing what they need to do.

“Organisations providing funding to smaller companies should ensure they have access to the expertise and technologies they need.”

As a company that not only helps other organisations navigate these regulations but manages critical systems and sensitive data itself, Kyndryl occupies a unique position. “We are subject to the same regulations as our clients,” says Lovejoy. “That means we truly understand the challenges”.

Humans wanted

If security is going to keep pace with technological change, stronger IT systems are not enough.

The industry is facing a chronic shortage of skilled professionals. The most underused resource? Women. Female representation in cybersecurity hovers around an abysmal 20%.

The imperative to address this gap is not a token gesture towards diversity, says Lovejoy, but a strategic necessity to harness the full potential workforce.

“It’s a numbers game. We need women because we need humans.”

“But to do that, we need to recognise what is holding us back from making those numbers.”

The issue is not simply one of recruitment; it is retention. Women often opt out mid-career as they feel forced to choose between their family and job.

“I believe that in technology generally – and security more specifically – we really have
to concern ourselves with the trope that we’ve established about this being a 24/7 high-stress job, which it isn’t.”

“We also have to be circumspect about the kind of working environment we establish for our folks and ensure that they have adequate opportunities to balance work life with home life.”

She suggests flexible working conditions and additional support services, such as childcare and transportation security, as ways to help retain women and bolster the workforce.

Mission critical

Whether companies invest in people or infrastructure, one thing is clear: proactive solutions will protect the world’s critical systems more than reactive ones. So far, the pace of technological change has outstripped the ability of businesses to protect their digital frontiers.

Security and resiliency must catch up and keep pace.

“They have an obligation to ensure that their portfolio companies are doing what they need to do.”

More from Forbes Australia