Mastering Compliance for a Secure Future

To read this blog in Arabic, please click here.

Authors: Andrew Mulligan, EMEA Partner Director, Fortanix; and Sofiane EL Abdi, Head of Cyber Services, KPMG Qatar

Across markets and geographies, Customer (and Employee) engagement continues to demand new and better experiences – on demand access, high ease of use, more personalised content and journeys.  As a result, businesses are faced with technological changes to address the accelerated digital experiences and cloud adoption, along with AI and ML adoption to deliver to the requirement. 

But as a result, threats evolve and cybercrime increases, with the predicted cost growing from $8trillion to $10.5trillion between 2023 and 2025 [source]. 

With this increased digital transformation and cybercrime, regulation then becomes an even bigger factor, with mandatory requirements to safeguard data.  For years, the global regulatory landscape has been very disjointed.  Now Markets like Europe, China and the US are setting the tone, and many others are following suit [source]. Patterns and principles are emerging in the security, privacy and AI domains. This provides an opportunity for leading organisations to coalesce, locally and globally, around a principles-based approach to proactively protect and manage sensitive information.

At a recent roundtable for the Financial Services sector, Fortanix and KPMG, along with the PCI Security Standards Council, led an interactive discussion with over 20 leaders from top financial institutions, on the opportunity for navigating compliance standards to address emerging cybersecurity challenges.   

DORA, PCI DSS 4.0 and NIS2, to name just a few compliance standards, support improved governance and auditing processes, and mitigate against cyber risks, leading to shorter ICT-related disruptions, improved resilience, and aligned management across individual businesses and third-party / supply chain organisations. 

Internally, CISO engagement with the Boards of organisations must present compelling leadership to prioritise security – a conversation made more poignant with the potential risk of personal liability.   

Otherwise, failure to comply with regulations can result in a variety of penalties, from financial fines, e.g. GDPR can equate to 4% annual revenue / €20m; to brand and reputational risk, where customers (and employees) vote with their feet; to decreased financial benefits with higher audit [source] and insurance costs and stock market devaluations [source].  

However, it can be a minefield, with regulations often overlapping and have differing timeframes and geographic reach. In financial services in particular, DORA, PCI DSS 4.0 and NIS2 all play a prominent role, with upcoming deadlines to adhere to. 

So how do businesses approach effectively? And what do they all mean?   

Ultimately the goal is to manage the safeguarding of data, understand and reduce risks, and ensure the appropriate plans are in place when threat occurs - despite the complex ICT landscape, across both individual business and 3rd party environments.  How can this present itself: 

• More effective frameworks to manage risk across the complex, digital, ICT landscape – both owned and third party.
• Procedures (e.g. Disaster Recovery, BCP, Incident Response) to withstand, respond to and recover from disruptions. 
• Secure data, whilst not hindering the ability to share information (e.g. for open banking – completing transactions and clearing across borders/and organisations).
• Reporting, governance and auditing principle/process improvements.
• Data access principles to support privacy and security to lower levels of vulnerability from unauthorised access/ leaks.
• Ongoing testing and operational resilience simulations for plans and people readiness.

Data security is the protection of Confidentiality, Integrity, Availability, Authenticity, Accountability, and Non-Repudiation of data from different types of threats.  Enabling the protection of data at the highest standard in this way, ensures the activity of an organisation or individual is not hindered. 

At Fortanix, we believe in a data-first strategy to securing the world’s data. By protecting the data vs the environment, data is desensitised and useless to the wrong people - whether in use, in transit or at rest.  Too often we see examples of data breaches and ransomware attacks, often where a perimeter approach has failed, or human error has taken place, leaving data at significant risk.

To benefit from a true defence in depth approach, built on a foundation of Confidential Computing, organisations can operate a trusted execution environment, from a variety of encrypted repositories, enabling multi-party collaboration and computation, with privilege, rule- and role-based access control for auditing and tracking.  A Zero Trust attestation SaaS environment, which verifies trust across the compute stack, allows organisations and their 3rd parties to operate in secure enclaves for the highest levels of data security.  

With data-first security, operational resilience increases allowing business to focus on delivering the best services for customers and their expectations.  In addition, new revenue and market opportunities arise with the ability to drive competitive advantage through new possible ventures/partnerships when business insights and decisions can be based on secure AI modelling, and 3rd party data collaboration.

And once Compliance standards are met, the next consideration is to keep an eye on new technologies, of which although timeframes are still only predicted, Post Quantum Cryptography becomes increasingly prominent. According to KPMG research, 27% organisation confirmed they will have invested in quantum in the next 3-5 years [source] – this is already predicted to be too late! 

Although budgets are assigned, organisations are still in the learning zone, with questions around the algorithms that will allow for a sustainable approach.  This needs businesses to take action and speed up their approach to reduce risk – both against the threat of attacks in years to come, but also in the protection of data/keys stolen now, through a ‘steal now, decrypt later’ strategy [source] - which when you consider how infrequently people change their bank accounts, their mortgage providers, or their pension providers, this is a very real challenge. 

So, what needs to be done?  It is predicted that Quantum computers will be capable of breaking public key encryption schemes more easily due to higher processing rates, requiring cryptography algorithms resistant to this threat.

Fortanix supports customers through the four stages to a PQC migration process: Discovery, Assessment, Planning and Execution, to ensure the highest standard of security posture.  And once you’ve seen what the status is within your business, there are clear decisions to be made, and actions to be taken – you can’t unsee what you see!

To start your journey to PQC, and ensure your data security compliance, learn more in conversation with us today.