Future-proof IT

Crafting the future of cybersecurity: How rules can coexist with innovation

May 13, 2024
The delicate balance between rules and innovation

Organizations in every sector face a technology landscape where cybersecurity, regulation, and innovation present both daunting challenges and significant opportunities. As technologies like IoT, artificial intelligence, and national security systems become increasingly entwined in our lives, the need for stronger cybersecurity increases. However, sometimes the very regulations intended to protect us can impede technological progress.

At RSA Conference 2024, held in San Francisco’s Moscone Center, four leaders discussed this delicate balance between enforcing rules and fostering innovation, leveraging financial incentives to enhance security, and the evolving role of cyber insurance.

Panelists (left to right): Mickey Bresman, CEO, Semperis; Nick Leiserson, Assistant National Cyber Director, Cyber Policy and program, Office of the National Cyber Director; Sam Curry, SVP & CISO in Residence, Zscaler; and moderator, Ari Schwartz, Managing Director for Cybersecurity Services, Venable  

Fair and balanced regulation

Finding the middle ground between tight security rules and encouraging freedom to innovate is crucial. Venable Managing Director for Cybersecurity Service Ari Schwartz emphasized that, “The right balance in regulation is not just about enforcing rules; it's about promoting unconventional solutions and economic growth.” Smart regulations, he suggested, not only safeguard countries and organizations but also nurture new technology breakthroughs.

His assertion is supported by the White House’s 2024 Cybersecurity Posture Report, the second version of the U.S. cybersecurity strategy implementation plan. 
Balanced rules protect us from cyber dangers but don’t eliminate new technological advancements. Overly strict or outdated regulations can hinder progress, making it difficult for technology companies to innovate. Conversely, too few or lenient rules can increase risks like data breaches, affecting both people and the economy.

The report cites global examples where policies effectively balance security and innovation. These success stories demonstrate that proper regulations secure our data, allow space for technological development, and can pave the way forward for policies that bolster both security and economic growth, enhancing the resilience and vibrancy of our digital world.

Financial incentives and global liability dynamics

Financial rewards play a big part in shaping how companies handle cybersecurity. Zscaler VP & CISO in Residence Sam Curry stressed the importance of these incentives, stating, “Liability dynamics between nations and financial incentives can dramatically shift the cybersecurity landscape. We need policies that encourage and reward strong security measures.” Such incentives not only help companies avoid penalties but also offer benefits for adopting robust cybersecurity practices.

Nick Leiserson, Assistant Director at the Office of the National Cyber Director White House added that there is also a need to “incentivize more secure software development.” Among the latest strategies in the White House report is exploring different frameworks for leveraging software liability related to vulnerabilities as a way to incentivize more investments in secure development of cybersecurity solutions. These incentives will help get vendors on board with national security goals.

Leiserson went on to offer an international perspective, noting, “Cyber threats don't care about borders, so it's vital that countries work together and sync up on rules to really nail their global cybersecurity strategies.” This teamwork is crucial to stop hackers from taking advantage of regulatory loopholes between countries.

Global interactions can complicate cybersecurity, requiring sophisticated coordination to ensure security measures are consistent across borders. International agreements and teamwork are required to align everyone’s efforts to minimize susceptibility to cyberattacks and boost global digital security.

By introducing financial incentives and harmonizing global liability rules, countries can better protect themselves and contribute to worldwide stability in the digital era.

Cyber insurers want to see better cyber hygiene

Cyber insurance is now a must-have for businesses. As threats evolve, insurance companies are adjusting their policies to cover more types of cyber incidents, such as data breaches, ransomware attacks, and even the fallout from social engineering scams. This expansion is critical because it provides businesses with a safety net, allowing them to recover more quickly from cyberattacks without suffering severe financial consequences. 

At the same time, the panel pointed out that organizations should not automatically assume that the cyber insurance providers will step in every time and pay the bills when there is a major incident. In the near-term, insurance companies will put more of the onus for liability on their customers by requiring them to audit their security vendors. This will force enterprises to approach security acquisitions more cautiously—following the lead of their peers in the federal government—and look for vendors that adhere to the highest standards and best practices.

Mickey Bresman, CEO of Semperis, stated that, “Cyber insurance trends show a growing need for financial models that bolster cybersecurity investments. Insurers now require firms to meet strict security standards before offering coverage.” This trend drives companies to enhance their cybersecurity measures, leading to better protection and lower insurance costs.

Enhancing network resiliency and harmonization efforts

The panelists pointed out how crucial it is to beef up defenses and sync up regulations globally. As Curry pointed out, “To address cyber threats, we must bolster our defenses and harmonize regulations across regions.” Consistency in regulations prevents security gaps that cybercriminals can exploit. A good example is how GDPR data privacy regulations have inspired new privacy regulations and data sovereignty laws everywhere in the wake of growing adoption of artificial intelligence and other digital innovations.

By syncing cybersecurity standards internationally, nation states can ensure a unified defense strategy. It also aids international businesses by motivating them to implement a consistent cybersecurity strategy, making it easier to follow regulations and maintain strong security everywhere they operate.

These efforts in cyber insurance and regulatory harmonization are key to enhancing global cybersecurity. By promoting strong security practices and international regulatory cooperation, governments and organizations in every sector can improve security and resilience against increasingly sophisticated and complex cyberthreats.

Future directions and policy recommendations

Looking ahead, the role of cybersecurity in pushing technology forward has never been more 

important. Leiserson emphasized the integration of “secure by design” principles and international standards as key to protecting our digital world. He states, “We must deepen the ties between public policy and technology to ensure that security and innovation go hand in hand.” This means focusing on developing technologies that are secure from the start, rather than bolting on security features later.

A major policy recommendation is enhancing collaboration between the private sector and government agencies. This partnership is vital for keeping accelerated technology innovations in sync with changing regulatory demands. Through collaboration, businesses and governments can swiftly identify and address emerging threats and create effective, innovative solutions. Governments can also encourage vendors to adopt “secure by design” practices through incentives like tax breaks, research grants, and streamlined patent processes for new security technologies.

Another crucial step is the development and harmonization of international cybersecurity standards. As threats increasingly ignore national boundaries, international cooperation is vital. Aligning standards and practices globally can minimize the risks posed by inconsistencies in regulations across different regions.

Also, putting money into cybersecurity education and growing our workforce is crucial. A well-trained workforce is essential for robust cybersecurity across industries, and awareness should extend to all organizational levels.

Final thoughts

The dialogue at the RSA Conference illuminated the multifaceted approach needed to balance regulation and innovation in cybersecurity. As Schwartz aptly summarized, “We must continue to evolve our strategies to not only respond to current threats but also to anticipate future challenges.”

It's crucial for everyone involved to keep the conversation going and adapt to ever-changing digital trends and technologies. By focusing on integrating security into technology development, enhancing collaboration, and standardizing global regulations, the public and private sector can work together to foster a safer digital future.

What to read next:

Shift left, save resources: DevSecOps and the CI/CD pipeline 

Zero Trust & Cyber Insurance: A crash course for the cyber insurance industry 

Regulatory compliance considerations for cybersecurity management