The Regulatory Tidal Wave for Cybersecurity is Inbound
Last week, I was an invited as a guest presenter to the EFC’s IoT group meeting in Toronto, Canada. During this meeting, I presented our current view on state of standards and regulations that will impact many markets globally but with a focus for vendors who service the NA market for electrical and critical infrastructures.
With pending Bill C-26 and it’s current requirements it will have a potential negative impact to SMBs who are not servicing this sector. Our guidance is component and product vendors must start assessing both cybersecurity and privacy risks in their business not just a once but on-going basis and ensure they create auditable outcomes for these activities (full stop). Governments globally are clearly going this route and if you want to sell into many jurisdictions you will need to demonstrate how you meet these requirements.
By far the easiest way to do this is by implementing a governance framework (there are many, just chose one!). Likewise, you need a SDLC, again just implement one for your business if your a product vendor. Last but not lease, think about how you will demonstrate you meet these requirements. I would highly recommend you loot at the CSA Groups T-200 which has been adopted in both Canada and US as a means for certification.
Here are the links I have included in my presentation:
d. Bill C-26