There are an increasing number of industries that are exposed to information security and privacy regulations. Those industries (such as federal agencies, health care, finance, insurance and publicly traded companies) have developed some fairly standardized approaches to meeting those regulations. These regulations provide the security professional with a certain amount of “teeth” that can be used to motivate company executives to invest in proper resources in order to comply with those regulations. That is not the case in industries that are not exposed to a particular set of regulatory guidelines. Health care is one example where the investment in information security controls pre-HIPAA were often well below the investment in other industries that were regulated—despite the fact that health care collects and stores highly sensitive data. This example speaks to the challenge facing security professionals in unregulated industries to make the case for investment in security controls that do not necessarily contribute to the bottom-line profit margins.
Discuss strategies that information security professionals can use in their unregulated organizations to motivate company executives to provide the proper level of funding to adequately secure the information the organization collects and stores. Include in the discussion both the “carrot” and the “stick” that might be useful in generating these talking points. For example, post-HIPAA, it was useful to point out to executives that there were penalties built into the HIPAA rules that assigned personal liability for those who could reasonably be expected to be responsible for securing information. “HIPAA jail” quickly became a thing in the health care security community.