It seems every day, there is a new addition to what is unfolding at Twitter. I can scarcely believe that it has been over two months since I sat down to watch Peiter “Mudge” Zatko testify in front of the Senate Judiciary Committee. In my naivety, I thought that was going to be the biggest event for Twitter and for data security in 2022. With so much happening since, and surely more to come, pinpointing the biggest story from 2022 will be a data problem in itself.
Twitter is undoubtedly a different company now and, by all accounts, a company where public opinion and the board of directors play a diminishing role. The impact of how Twitter handles data security and the focus of the whistleblower complaint remains unknown, but without the oversight of being a public company, early signs are concerning.
However, we should not forget that Twitter is still subject to oversight from the Federal Trade Commission (FTC) and has a second consent order from the FTC hanging over its head. How the FTC responds to the events of 2022 will have very real implications for the governance of data security across any organization that deals with personal information.
How Has The FTC Responded To Date?
It is increasingly clear that the FTC is not going to back down from the challenge of regulating Twitter, as indicated by Douglas Farrar, director of public affairs at the FTC, in response to the recent Twitter changes: “No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
If the above is any indication, the FTC is on high alert and may be looking to make an example of Twitter. This isn’t surprising. If you look back at the testimony from Mudge, it delivered a very clear challenge to the FTC and potentially any other regulator with an interest in how organizations handle data. Comments, like the one below, sum up Mudge’s overall view on the failure of regulators to address the issues at Twitter:
There are various factors outlined throughout the testimony and the whistleblower complaint on why Mudge makes this commentary on the capabilities of the regulators. These factors include insufficient funding, a lack of technical focus compared to other “feared” regulators, limited effective tooling and an inability to interrogate the accuracy of carefully worded responses to regulators. In essence, Mudge has accused regulators of allowing the regulated organizations to “grade their own homework.”
If the FTC doesn’t aggressively use the compliance monitoring powers outlined in the order, I, like many other security professionals, will be surprised.
So How Will The FTC And Other Regulators Respond Long Term?
Regardless of the short-term response from the FTC against Twitter specifically, these types of events have long-term implications for the broader industry. All regulators focused on the protection of information will be keen to avoid similar events. It should be apparent that regulators must and will find better tools and approaches to assess the data security compliance of cloud-native organizations, including behemoths like Twitter. Commercial tools will already allow regulators to complete data security assessments. Savvy regulators will simply require a cost-effective assessment in time frames that support regular assessments. As regulators explore tools and approaches that allow them to complete cost-effective assessments of more technical attributes at scale, there are some inevitable consequences. First, organizations should expect more directive and explicit requirements regarding data security. Second, as hinted by Mudge, regulators will start to focus more on hitting organizations where it hurts—their ongoing revenue models, but also targeting the leadership of the organization. CEOs must be held accountable personally for their failures.
The ability to cost-effectively quantify ongoing noncompliance at regular intervals will help regulators identify continued noncompliance. This will allow regulators to focus on not only one-off fines and penalties that are brushed off as insignificant in the face of continued revenue, but also impact continued revenue streams.
Inevitably, as regulators generate more technical details behind the lack of compliance, they will also inevitably become more rule-focused in their approach to security, providing stricter rules to follow for data security in the cloud. My belief is that only once regulations get more explicit on requirements on the data object level will regulations be impactful in addressing data security-related risk.
Regardless of the regulators’ short- and long-term reactions, the events at Twitter are undoubtedly a watershed moment for data security across all industries and a call to action for organizations to focus on improving their security posture from the data out. This starts with implementing capabilities to maintain an accurate and granular inventory of the data that your organization holds. Organizations can avoid regulatory scrutiny in the future if they can answer with precision and at scale: “Where is my sensitive data?” “Who has access to it?” “How is my data being used?” and “What is the security posture of my overall data store?”
This article originally appeared here: https://www.forbes.com/sites/forbestechcouncil/2022/12/21/the-future-of-data-security-regulators-are-going-to-get-stronger-meaner-and-more-personal/?sh=57bbad8b2cfe