Compliance is Critical - and Indicative
About ten years ago, at the beginning of my career, we didn’t talk too much about regulatory compliance, but as the years slowly moved forward, it became a much more central part of the focus of implementing and running an effective cybersecurity program within an enterprise. I still remember when I got a draft copy of the NIST CSF document by my then boss and was asked to make my way through it with the understanding that regulatory compliance would be coming down the pipeline in the future. I have had the privilege of working in many industries that have regulatory compliance as part of their day-to-day operations and business objectives - aerospace/defense, power grid/ICS and SCADA, health care and insurance (HIPAA), and telecommunications. All of these have varying degrees of federal oversight as they are considered what is called “critical infrastructures,” meaning that they form up the central pieces of what allows society to continue forward as we know it.
Both Due Diligence and Due Care are subjects you get introduced to pretty rapidly when your company or organization needs to maintain a level of compliance with regulatory bodies and laws. An example of Due Care would be an organization either making sure that they follow the already established guidelines, laws, regulations, etc. or it could mean that they design and implement their own in a way that matches with industry best practices or potentially in alignment with what future regulations may be applied from governing and regulatory bodies. Due Diligence is making sure that I (or the organization I serve) understand and have a comprehensive understanding of either the laws and regulations we need to follow or the policies and procedures that the organization has implemented on its own. Some of the best examples of Due Care and Due Diligence that I have come across are from the InfoSec Institute which I have linked in my sources below in case anyone wants to check it out! They are also just an awesome resource in general to learn more about our field!
There are many examples of companies that it becomes pretty apparent didn’t exercise either due diligence or due care in their operations (sometimes both because they typically go hand in hand) but one of the largest and most impactful examples that I can think of would be the Equifax breach of 2017 which I still remember vividly. I will include sources for further reading below in case anyone is interested, but the short story is that there was a critical vulnerability in a piece of software called Apache Struts which was being used as part of Equifax’s website. There was a patch for this software but Equifax hadn’t patched it in time before a hacking group was able to exploit it and the fallout was severe. It caused major distrust within the public and affected over 140 million people and their incredibly sensitive information (things like social security numbers and other sensitive data). As it turns out, I was one of those affected by this breach as well!