The largest regulation overhaul in history impacting the Privacy & Security of EU citizens is now just twelve months from coming into effect. Arguably the most disruptive regulation change organisations have faced in present history and one that some would say, is long overdue.
So it’s half-time. The GDPR programme team are back in the dressing room reflecting on an eventful first half. A first half which saw lips split, teeth lost and data found in the most unimaginable places! “are we going to win?” comes the cry from the stretchered-off-striker. A sharp intake of breath, a long pause, a gulp – dry-mouthed, you reply “Of course we are!!” – the remainder of the team turn to look (those who can still manage to open an eye) at you, incredulous at your response; half-time, losing 5-0, your main striker removed from the pitch on a stretcher, and you’ve barely stepped foot in to the opponent’s half.
Can we possibly win? – you think to yourself.
A familiar story? Yes, you are probably not a minority.
Reflecting upon the last twelve months, let’s look at what we have achieved: We have now defined and documented our legal basis for processing data; the purpose for processing is clearly set out; and we have established where our data is (which systems store data) and who has access to it (ranging from colleagues to third parties) – data mapping is complete. If this is where you find yourself today, well done! No. VERY WELL DONE! This would be a significant milestone and one many organisations recognise as somewhat aspirational.
So now comes the easy bit? Huh?
If your organisation finds themselves in this luxurious position, and your programme team is scaled to achieve the next milestones, easy is not an adjective I would choose. Optimistic would be the blandly reassuring term on my lips.
Your priorities now turn to building robust privacy processes and securing your computer networks, systems and data. Using a risk based strategy, arguably the latter is already taken care of and you only need to focus on the former.
Let’s reflect a little here. GDPR requires organisations to implement appropriate technical and organisational security measures. In fact:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”
Reflecting a little more. May 12th saw the largest, most wide-spread cybersecurity incident in recent times. WannaCry ransomware exposed significant cybersecurity weaknesses in organisations, globally. An incident, that in all likelihood didn’t impact ‘the rights and freedoms of natural persons’, but left organisations with mops and buckets in their hands for days, if not weeks. Is it not the primary objective of a cybersecurity programme to safely enable its business? – Rose-tinted glasses are freely available at most good rose-tinted glasses retailers.
Institutionalisation describes the extent to which behaviours and activities are ingrained in an organisation’s operations. The more deeply ingrained a behaviour, the more likely it is that the organisation will continue to perform that behaviour in the future, the behaviour will be maintained under periods of stress, and the outcomes of activities will be consistent and of high-quality.
Cybersecurity is far from institutionalised in most organisations, and it’s this change most cybersecurity leaders need to deliver. GDPR necessitates cybersecurity institutionalisation.
Delivering a cybersecurity programme fit for GDPR requires bold and strategic change. Cybersecurity leaders need to strengthen their security capabilities with targeted, risk-based interventions. Position the security function for success by augmenting capabilities with state-of-the-art technology, step-change maturity through managed security services, and robust inclusive business-security processes.
Minimising the likelihood of a successful cybersecurity attack which impacts our operational resiliency should be our primary objective; closely followed by minimising the likelihood of an event which impacts the rights and freedoms of individuals. After all, if we don’t succeed in keeping the lights on, we don’t get paid!
It’s at this point it would be remiss of me if I didn’t recommend a review of the current threat landscape. Your Board did ask you “are we vulnerable to ransomware?” – Your cybersecurity strategy should be flexible to consider dramatic, global cybersecurity events, and adjust accordingly.
My personal observations of GDPR programmes – many will be hoping for extra time, or even penalties. Some will be expecting the match to be played over two legs but certainly will not be wanting to lose via a golden goal in extra time.
Reaching the next milestone; securing computer networks, systems and data – never ends. We must institutionalise cybersecurity so we become quicker, more effective at managing risk. In turn, delivering resilient digital systems for our businesses.
The second half is about to start. I need to take my seat in the stands but I’d rather be on the pitch.
Please get in touch if you want considered, pragmatic cyber security advice.
Richard Jones – CISO, SecureLink UK