I’ve been lucky enough to have a pretty successful security career and gain a modest following for my writing. Mainly stuff about Information and Cybersecurity GRC (Governance, Risk, and Compliance). Gratifyingly, my Infospectives blog also received a fair few award nominations and won a Best New Security Blog prize. In addition, rather fantastically, I ended up with my face on a Las Vegas bus. But despite all that fabulous and left-field recognition, I rather abruptly stopped.
As my LinkedIn and Twitter handles now suggest, it’s because I’ve been working my proverbial off to complete a shift into Privacy and Data Protection, with a very specific focus on making business sense of the General Data Protection Regulation (GDPR). That’s why the poor blog has been left to fend for itself and I’ve turned down a fair few lucrative opportunities.
“Why?!” some will no doubt cry “Why are you binning established credibility and resulting hot career prospects when funding is at a debatably all-time high?”
The simple answer
I was an epic failure
Not really…as far as I know (I’ve been reliably informed by my clients that I’m pretty useful). BUT, the security trade as a whole is still struggling to escape it’s dangerously reactive past. A past that impacts most of what we try to do. So was I driven away by the bumps, bruises, and blockages in the information security world?
It’s true (as anyone with even a passing interest in Privacy will tell you), this field is seeing its own GDPR driven boom. So that explains it…except for the fact, despite potential for lots of immediate and well paid consultancy gigs, I’ve been helping to establish a UK subsidiary of a young privacy firm. That means big rewards, pay or otherwise, take some time.
So again…why would I do this? Why, as the main breadwinner in a family with 2 youngish kids (and no stash of gold under the mattress), would I make such a big move?
The honest answer: I’ve watched the GDPR feed a FUD fountain of the most spectacular and destructive kind
After beginning this shift, while the media reported a view of global security and politics that provoked a familiar and periodic urge to move to an unconnected cave (Swift, Brexit, Ransomware, the holey IoT, etc), some basic truths about InfoSec and my relationship with it crystalized:
“The core challenges, while driven by laws and legal compliance, are centered on making and scaling the right effort. Effort to identify and close gaps relating to the most sensitive and most at risk data assets”
- It’s all about, with limited exceptions, the data.
- Vulnerability and threat information (and therefore risk information) is next to useless if you don’t understand the assets (data and high availability assets) potentially impacted.
- The data that matters most, almost invariably, is personal
- The thing that motivates me, more than anything else, is reducing the risk of harm to people potentially impacted by accidental or malicious data disasters
- My partner aim, motivated by personal and professional experience, is to ensure we support agile design of privacy protecting and secure solutions. Especially systems, tools, and processes used to analyse and share data. Our future prosperity and wellbeing (especially in the world of healthcare) depends on it.
- The misfortune-reducing work that most floats my boat involves unpicking risk, regulation and law (yes, I’m super fun at dinner parties), to create realistically scoped, practical ways to make concrete and sustainable progress.
- The most valuable use of my communication skills is to paint the compliance and risk picture in a way that makes real business and ethical sense. Sense that will encourage the right stakeholders to accept accountability and come along for the ride.
- The best current context for all of that is the global GDPR-driven motivation to understand the need (and in most cases take action), to create a safer space for our (and our children’s) virtual and physical selves.
THAT’S why I made the shift to Data Protection and Privacy. The frequently underfunded, under resourced, and historically overlooked corner of businesses. A corner getting a brutal shake up…a 4% of global revenue sized shake up. A shake up that’s prompted a vendor feeding frenzy. One that risks more seismic cracks and collapses than examples of constructive progress.
The sheer quantiy of rubbish out there in the social and mainstream media-verse is terrifying. A quick search on Twitter for the #GDPRubbish hashtag (created by top Data Protection pro Rowenna Fielding) will highlight just a small proportion of it. Drivers include; craving for clicks over content, requirement-blind persuit of marketshare, applying siloed security thinking to a broader data protection problem, or just wilful and greedy ignorance. But there is also a lot of genuine confusion, even among top pros for finer points of this principles based reguation. The difference between the people who really know this and the rest, is ability to plan around uncertainty using accumulated historical experience….and obvious fury about overnight experts fundamentally misleading people…something I’m loathe to call negligence, but I probably should.
The fact that I’m also a recent convert isn’t lost on me, but I have had data protection as part of my InfoSec day job for most of the last 8 years, and during this transition I have worked tirelessly to make sure my facts are straight and my advice is relevant, with hugely appreciated support from a number of fabulous and incredibly experienced data protection peers. I’m also very familiar with most of the imminent planning and risk management challenges:
For organisations often lucky to have 1 full-time person ‘doing’ Data Protection, it will be a huge challenge to stand up a people, process, and tech change programme (however small), or, if all controls are reportedly already up to scratch, put in place effective ways to backfill any holes in that view of current state (in-house and for third parties), then keep on top of change, and evidence all that in a way the business can use to manage risk. Very familiar pain.
So what specifically is all the fuss about?
Here’s an excerpt from IAPP’s summary of GDPR changes (link to the full IAPP graphic and link to a handy searchable version of full regulation wording)
We can all shout about firms who should already have had their house in order under pre-existing data protection law, but with historically small fines and wildly varying approaches to enforcement across Europe, that was never going to trump other commercial and operational realities.
Now it’s an entirely different ballgame. The click-baity maximum 4% revenue fine – very unlikely to ever be levied in full, but fines will likely see an order of magnitude increase…before you factor in related reputational risk – will put it on the strategic risk map for most firms. Then there’s the right to order firms to restrict or completely cease processing all personal data (an available sanction in existing law, but may be used more frequently in future). Not forgetting a door left open for class action lawsuits, and a new requirement to hard-wire accountability for data protection, then EVIDENCE adequacy of controls.
Putting the means in place to achieve that latter part, is where I get to apply most of my transferable skills.
Past experience of future pain
When I look back on later years of my InfoSec career (and the considerable time I spent writing about, researching, and networking with folk from all specialisms), six things stand out (things I’ve written about at length. Links point you to some related posts):
- FUD and economic short-termism provoking over reliance on tactical technology spend (vs investment in security foundations, sufficient bodies and time to mature control, education, better recruitment practice, collaboration, realistic planning, and meaningful communication). Causing gaping holes in the budget, effectiveness, and credibility of many security functions.
- InfoSec risk management, the critical bridge between the board and the coalface, remaining a country mile away from making useful and actionable sense to most of the right people.
- GRC programmes (e.g. Data Governance, PCI, SOx, Supplier Governance) hitting the budget/time/credibility rocks. Desperate for an injection of risk sense to scope and prioritise work and remediation.
- Security and related functions operating in silos and the wrong risks landing in the wrong places.
- Top priority status periodically given to ‘data risk’. A laudable urge to face the fact that they have lost track of big chunks of data (in-house and with 3rd parties) and data usage has insidiously crept to service objectives, make life easy, or indulge in some big data fun. Gaps are analysed and plans made to understand sensitivity, whereabouts, controls, incident management, and/or management accountabilities…but few have the appetite, budget, or means to take on that challenge effectively.
- An overabundance of advisors with mega per diem price tags arriving to save the day…and leaving businesses (most suffering from fallout caused by one of the above), with impractical benchmarks and plans for a plan.
Big challenges I dedicated huge quantities of blood, sweat, and tears, to tackling.
It was often a truly uphill struggle, given most things on my list are created (or at least perpetuated) by deeply embedded cultural factors and facts of business and economic life. A struggle that made concrete wins special, taught me hugely valuable lessons, and proved these things can be improved with the right inclusive approach, right bodies on board…and enough time.
Then, as my focus shifted to Privacy, something became starkly obvious: Data Protection functions, as they scale to meet current GDPR requirements, are at immediate risk of hitting the same blockages, communication challenges, and cultural conundrums.
“The solution does not, and will never, come in a box”
The core challenges, while driven by laws and legal compliance, are centered on making and scaling the right effort. Effort to identify and close gaps relating to the most sensitive and most at risk data assets.
Boxes, boxes everywhere, but solutions in short supply
The potential to waste this huge opportunity is very real. The solution does not, and will never, come in a box. Budget busting tools quickly rebranded with a GDPR tagline (DLP, InfoSec GRC, Cyber solution A, B & C), won’t make this happen. They can collect, collate, tame, track, and control information, but not without requirements defined to reflect local skill, process and tech maturity, plus characteristics of local data.
Ditto for data discover and mapping solutions, with all that configuration and tuning to be done. They can report problems, but if you don’t understand the data, requirements, and risks, plus have people who can translate all that into actionable intelligence, then find someone formally on the hook to sponsor fixes, problems won’t get solved. It will just be another data lake that turns into a rope to hang you with come breach, regulator investigation, or audit time.
So no, boxes won’t fix this. Dedicated people will.
Dedicated people with often unsexy solutions that give the right stakeholders a clear view of your data universe, along with related gaps, and realistic priorities.
Ensuring the right stakeholders manage the right Data Protection risks
We know that folk closest to individual data assets often don’t have the means or clout to fix issues caused by centrally administered, business-wide, and separately owned controls (e.g. access management, incident management, change assurance, supplier governance, consent acquisition, privacy notice creation, privacy notice delivery, data transfer practices), so you have to put the right risks in front of the right stakeholders. Get that wrong and nothing will get done.
Data Protection…not cybersecurity v2.0
We know that Data Protection and Privacy are not the same thing as Cyber or Information Security, despite an acknowledged dependence, and a regulatory requirement for ‘adequate’ control. And no, in case you were wondering, encrypt and forget doesn’t cut it, nor does an ISO27001 certificate.
That’s why you need to be wary of templates, tools, and processes repurposed from InfoSec, audit, or more general risk management and sold as silver bullets. You need to look at data collection points, original purposea for collection, and data uses (where they may differ from agreed purposes). If you tell customers you only acquire names and addresses for the purpose of payment for products and delivery, you’d better not be using it for marketing, resale to brokers, or profiling to personalise pricing.
You need to be sure of the legal grounds for data processing, ensure transparency about that at time of collection and make sure you protect data you are legally entitled to have for as long as you are legally entitled to have it, then anonymise or delete it.
You also need to be able to respond to data subjects who have the right to check what you are doing with data, get an initial response within 30 days, and have you limit or stop doing it.
That makes a Privacy Impact Assessment of key processing much more than a tick-box exercise. You need the output to be able to analyse and report collective findings. Findings in the context of local risk to steer you to priorities for change.
We know that the GDPR is a benchmark, not a guideline. So that risk sense is going to be vital.
We know that Brexit has set the proverbial cat amongst the legal and regulatory data protection pigeons. UK organisations and anyone else accessing, processing, or otherwise handling data that’s in the EU, have to have made good progress towards GDPR compliance by May 2018…unless they are already in tip top data protection shape, or don’t care if they get to carry on doing what they’re doing with data after that date.
You’ll note I said ‘make good progress towards GDPR compliance’ rather than ‘be compliant with the GDPR’. That’s a difference worth noting. Professionals will talk about the former, but vendors will almost always come at you with the latter.
The trouble is, many organisations are doing NOTHING. Plenty of UK firms are waiting to find out how that will be reflected in our local laws (incredibly closely based on the current draft of the Data Protection Bill that will soon become law). And a far far larger proportion of non-EU firms who handle EU personal data have their heads buried in the sand.
From that UK perspective, we won’t be out of Europe until well after the May 2018 GDPR enforcement date (Article 50 means we’re on the ‘fast’ track to be out of Europe on 1st April 2019 – no the irony isn’t lost on me). IF – a big ‘IF’ – that’s not successfully challenged by parliament (some commentators have even said it could take up to 10 years. After all, no-one’s ever done this before). That means, at the VERY least, 10 months bound directly, for all personal data processing, by the GDPR.
During that time, any UK firm reporting an incident impacting European and/or UK citizen’s data could (depending on your opinion on likely EU impartiality), have a big blue and gold target on their backs.
Organisations HAVE to be able to signpost how far they plan to go to improve existing data protection and security processes, policies, systems, contracts, and controls. If something goes wrong (a breach, or complaint leading to an investigation) ignorance of your current state and change priorities will be indefensible, no matter how big or small the changes need to be.
Quick wins and cracking on
In short, it’s not rocket science, but it takes some significant thought and effort. It can be an overwhelming prospect, but with expertly applied common sense, defensible scope definition, and the right tools, it can be tackled…affordably. Quick wins, high risk priorities, and sensible progressive scope extension, all in tandem. The former two informing the latter and creating economies of scale for subsquent steps. Taking a risk-based and agile (small or large ‘A’) approach to moving towards better practice is the only rational response in time available. All the while working to embed accountability in the places that matter and keeping a note of your workings out. Without clear evidence of planning requirements, objectives, decisions and steps, you can’t defend your position to anyone. Least of all those who hold the budget.
So, whether you are a finance firm, healthcare provider, software vendor, legal firm, clinical researcher, retailer, or a consultancy firm, this should matter to you…unless you never have data from Europe anywhere near your organisation (that includes data from client firms, or EU staff). If you ARE in this huge club, and are looking for a some FUD-free GDPR perspective, I’m happy to help.
I know we can do right by organisations and far better by data subjects without bankrupting firms, and I’m collaborating with some incredibly experienced Data Protection veterans to show folks how.