Regulated sectors such as the civil nuclear industry and financial institutions have seen a recent shift towards outcome-focused regulation which is a relatively new approach. Regulatory bodies such as the Office for Nuclear Regulation (ONR) and Financial Conduct Authority (FCA) have typically used a more prescriptive rules-based approach. So why the change?
By understanding it well, outcome-focused regulation can enable security innovation and bring business benefits including reduced costs. That sounds attractive. It’s an approach that fits well with Ascentor’s long-held philosophy that information security should be risk-based, pragmatic, appropriate and cost effective (PACE).
In this blog, we explore the pros, cons and applicability of rules-based versus outcome-focused regulation, concluding with our rationale as to why the latter is better for information security.
Prescriptive rules-based regulation
In May 2018, the Department for Business, Energy & Industrial Strategy (BEIS) published ‘Research Paper Number 8, ‘Goals-Based and Rules-Based Approaches to Regulation’. The paper describes a rules-based regulatory approach as having one or more widely recognised and generally non-contentious core attributes. In summary, these are:
- Rules that are specific, precise and prescriptive, leaving no doubt about permissible actions and compliance requirements of regulated organisations.
- Rules that define permissible regulator conduct.
- Regulation enforcement that is focused purely on compliance with the rules.
An information security scenario that illustrates the attributes of a prescriptive rules-based approach is that of the often-mandated requirement for organisations to be compliant under the Cyber Essentials Scheme standard – a standard which is endorsed by GCHQ’s National Cyber Security Centre (NCSC). Once mandated, Cyber Essentials becomes a ‘rule’.
Consider the Ministry of Defence (MOD), which has determined Cyber Essentials as one of the standards for its supply chain organisations. It is a specific rule that gives organisations no doubt about what permissible action to take.
Accordingly, supply chain organisations need to ensure that they achieve Cyber Essentials certification, while the MOD, which enforces the rule, must confirm whether they are in fact certified. The question of whether the certification is specifically scoped to be relevant to all MOD identifiable information (MOD Industry Security Notice Number 2016/05) or whether certification is PACE-principled is not considered.
Rules-based myths and issues
Many organisations like a prescriptive rules-based approach. Here’s what people say and our observations:
- “It’s straightforward”: it sets clear expectations and requirements. In our experience, this is often the case for small to medium enterprises (SMEs) who barely have the budget or the time for basic information security, let alone having to think about the implication of regulation beyond compliance. But remember, every organisation is very different in terms of size, complexity and security maturity, so straightforward doesn’t always mean “right for you”.
- “It’s simpler and cheaper”: organisations know what they need to do and what is required. We find that all too often security controls implemented simply as a compliance exercise (“because we were told to have it in place”) are unnecessary when you properly understand the risk. So, any associated costs could have been saved without detrimentally affecting risk.
- “As long as I’m ‘compliant’, if it all goes wrong, it is somebody else’s responsibility”: it doesn’t matter which way you look at it, it’s your organisation’s responsibility to protect information securely.
We also hear the argument “stand-alone IT systems are the only answer”. Companies often think that single PCs or a stand-alone internal and location-specific network with limited or no Internet connectivity separate from corporate networks are secure. In reality, from a risk perspective, for highly classified or very sensitive IT systems (SECRET and above in Her Majesty’s Government terms), having stand-alone solutions is often a logical conclusion (supported by additional robust security controls as appropriate).
However, stand-alone systems for lower classification situations can introduce significant security risk if not implemented with risk firmly in mind. Who will maintain these systems? How will they be patched and updated? How will information be securely transferred to and from them? The reality is that stand-alone systems are often implemented and maintained by people with little or no IT or security know-how.
We do come across instances of organisations challenging and complaining about a rules-based approach. They often have identified the lack of applicability of the prescriptive, rules-based regulatory requirements imposed upon them. We’ve also come across organisations who have fallen into the trap of striving for compliance where the required costs and specialist resources are disproportionate to the risk.
All in all, when it comes to information security, any approach that tries to impose a simple, ‘one-size-fits-all’ set of rules fundamentally challenges the risk-based PACE approach that can ultimately bring business benefits beyond ‘just enough’ compliance.
So, let’s consider the benefits of a more innovative approach.
BEIS Research Paper Number 8 is less definite about the terminology surrounding what they call a goal-based regulatory approach and what we align to a risk-based, outcome-focused approach. In general terms, the paper lays out certain attributes that appear to have some level of wider agreement and are summarised below:
- Regulated organisations set their own high-level goals based on broad principles, outcomes or standards – there is little guidance offered.
- Compliance involves a higher degree of judgement and is dependent on each organisation and their established goals.
- Regulation enforcement also involves a higher degree of judgement with performance levels and assessment methods being set in relation to an organisation’s chosen goals.
Returning to our MOD example, an outcome-focused approach might require supply chain organisations to ‘ensure that risks to MOD identifiable information are managed and minimised’. This ‘goal’ sets out a broad, risk-based principle; supply chain organisations are entrusted to exercise judgement in understanding and determining the risk and the controls required in the context of their organisation.
In this scenario, whether supply chain organisations have minimised information security risk will only be determined as part of day-to-day operations. Hence, they need to be constantly mindful of whether their risk-based arrangements continue to be effective. Similarly, the MOD will have to exercise judgement as to whether, in a given set of conditions, the information security risk-based arrangements of a supply chain organisation are effective.
Innovation and business benefit with an outcome-focused approach
With an outcome-focused regulatory environment, organisations are at liberty to understand and document security risk. They can make their own case as to what controls are and are not appropriate. This enables decisions to be made in the context of the business requirements and with costs and budget firmly in mind. Providing you can demonstrate that you have implemented appropriate security controls and that you understand your responsibilities under any applicable legislation, then you can be innovative rather than constrained by rules.
But this approach needs more consideration – you will need knowledge and potentially guidance from experts to navigate the options and make the best choices for your organisation.
How Ascentor can help
Whether you are in a rules-based or outcome-focused regulatory environment, we can support you. Our range of services is broad and deep, underpinned by our expertise and experience in the most demanding of regulatory environments dealing with all levels of sensitive information.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about a range of topical cyber security issues. You might also like to receive our quarterly newsletter. Sign-up details below.
If you’d like to discuss any aspect of IA and cyber security, please get in touch, using the contact details below.