Irony. I don’t believe in it. What I do believe in is the metaphysical. Meaning, the choices you make sets in motion energy through the universe which dictates the outcome of your experiences. It’s important to avoid expecting an outcome, because a choice is neither good or bad, it just – is. Alternatively, irony is the “state of affairs or an event that seems deliberately contrary to what one expects”. While I cannot tell you the details of a situation I encountered, I can tell you that I was introduced to a Company whose C-Suite staff decided that complying with federal cybersecurity regulations was too expensive and unnecessary. They were unsupportive of the due diligence that revealed weaknesses in its information security structure and scoffed at the mitigation plan. It got me thinking, was it irony that explained what happened as a result of their non-compliance or did they merely make an objective choice that ended up creating a drastic outcome?
New Department of Defense federal cybersecurity regulations were put in place at the end of 2017, which require federal government contractors to incorporate certain information systems safeguards for the purpose of protecting federal government information. The Guidelines can be found in the NIST 800-171. At the Company discussed above, doubting senior officers were unconvinced that complying with the new requirements would protect it from a hacking incident. They further believed that they would never be victims because hackers wouldn’t be interested in it. “Ironically”, shortly thereafter, the Company was hacked which financially threatened the Company’s core business operations. The Company suffered significant financial loss, but thankfully no government data was compromised.
Had federal data been exposed, the Company would have to report the incident to the feds, implement its incident response plan, prepare for the federal government to take control of the Company’s operations for an unknown period of time, threatening the ability to conduct business, all the while struggling to recover the money that was stolen. But the Company didn’t have an incident response plan nor did it have any understanding how to effectively investigate a hacking incident.
The situation was a wake-up call to the C-Suite staff, calling into question – had they implemented the new cybersecurity requirements, would the hacking incident have been minimized or even prevented? I think the root of the problem was that the C-Suite staff rejected implementing an effective cybersecurity program because they didn’t care about compliance. But in fact, the new cybersecurity requirements would have narrowed the gaps in the Company’s existing information systems infrastructure, more than likely protecting the Company’s assets and any federal data stored in its network.
At the end of the day, the lesson is that compliance has a place in every business. Its healthy for a company of any size. Its more than a cost center, it protects companies from risk and exposure that could be catastrophic. Compliance is a money maker. So again, was it just ironic that these nay-sayers suffered a hacking incident, or was it the non-compliance energy they released into the universe?