Too many different regulations are hampering companies’ ability to deal with cyberattacks, said Goldman Sachs‘ chief information security officer Tuesday.
“What’s frustrating for me is how much of my time, my team’s time and my resources are spent on having to answer a never-ending stream of regulator requests,” said Andy Ozment. “In my mind, it’s a distraction away from cybersecurity.”
Companies must comply with regulations in each country they operate, and those rules can differ dramatically. Also, in the United States, there is no federal data breach notification law, and companies must comply with different notification laws across all 50 states. Governments could do a better job of streamlining these many different and sometimes competing interests, he said.
Ozment, who rarely talks in public, was speaking at a WSJ Pro Cybersecurity forum in Manhattan. He’s one of the most influential voices in financial services cybersecurity, and served as Assistant Secretary for Cybersecurity and Communications for the Department of Homeland Security before taking the top security job at Goldman.
Third-party oversight, where companies must evaluate all of their vendors for cyber risk, can also be difficult to manage, Ozment said. Companies spend a lot of time doing laborious risk assessments of their vendors, then have to answer the same assessments for the companies they serve. He suggested government officials could do a better job of organizing a standardized response, and that industry could take the lead in pushing a standard.
“The burden of constantly assessing each other and being assessed, it seems like an area ripe for involvement,” he said.
Ozment also said that companies need to be careful as well if they are considering outsourcing cybersecurity roles to countries that may support hacks against U.S. companies.
“It’s hard to set up a 24/7 operation. I do think it matters what country they’re in. If that’s a country that’s attacking you, I don’t think that’s a good idea,” he said.