20 December 2018

Patchwork laws and constant requests frustrate companies, says cio

Goldman Sachs' top cybersecurity official argues too many regulators are taking resources away from cybersecurity teams.

Andy Ozment, chief information security officer at Goldman, said ‘what's frustrating for me is how much of my time, my team's time and my resources are spent on having to answer a never-ending stream of regulator requests,’

Stream of requests

Mr Ozment said, ‘in my mind, it's a distraction away from cybersecurity.’ Mr Ozment, was speaking at a Wall Street Journal pro cybersecurity forum in New York. He discussed how companies must comply with regulations in each country they operate, and those rules can differ dramatically. Also, in the United States, there is no federal data breach notification law, and companies must comply with different notification laws across all 50 states. He suggested governments could do a better job of streamlining these many different and sometimes competing interests. Mr Ozment explained third-party oversight, where companies must evaluate all of their vendors for cyber risk, can also be difficult to manage. Companies spend a lot of time doing laborious risk assessments of their vendors, then have to answer the same assessments for the companies they serve.

24/7 is hard

Mr Ozment suggested government officials could do a better job of organizing a standardized response, and that industry could take the lead in pushing a standard, stating ‘the burden of constantly assessing each other and being assessed, it seems like an area ripe for involvement.’ He also said that companies need to be careful as well if they are considering outsourcing cybersecurity roles to countries that may support hacks against US companies, saying ‘it's hard to set up a 24/7 operation. I do think it matters what country they're in. If that's a country that's attacking you, I don't think that's a good idea.’ Mr Ozment rarely gives talks in public but is one of the most influential voices in financial services cybersecurity. He served as assistant secretary for cybersecurity and communications for the department of homeland security before taking the top security job at Goldman.