I’ve been lucky enough to have a very successful security career and gain a modest following for my writing. Mainly stuff about Information and Cybersecurity GRC (Governance, Risk, and Compliance). Gratifyingly, my Infospectives blog also received a fair few award nominations and won a Best New Security Blog prize. In addition, rather fantastically, I ended up with my face on a Las Vegas bus. But despite all that fabulous and left-field recognition, I rather abruptly stopped.
As my LinkedIn and Twitter handles now suggest, it’s because I’ve been working my proverbial off to complete a shift into Privacy and Data Protection, with a very specific focus on making business sense of the General Data Protection Regulation (GDPR). That’s why the poor blog has been left to fend for itself and I’ve turned down a fair few lucrative job, writing, and speaking opportunities.
“Why?!” some will no doubt cry “Why are you binning established credibility and resulting hot career prospects when funding is at a debatably all-time high?”
The simple answer
I was an epic failure
Not really…as far as I know (I’ve been reliably informed by my clients that I’m pretty useful). BUT, the security trade as a whole is still struggling to escape it’s dangerously reactive past. A past that impacts most of what we try to do. So was I driven away by the bumps, bruises, and blockages in the information security world?
It’s true (as anyone with even a passing interest in Privacy will tell you), this field is seeing its own GDPR driven boom. So that explains it…except for the fact, despite potential for lots of immediate and well paid consultancy gigs, I’ve chosen to help establish a UK subsidiary of a young Swedish privacy firm. That means big rewards, pay or otherwise, take some time.
So again…why would I do this? Why, as the main breadwinner in a family with 2 youngish kids (and no stash of gold under the mattress), would I make such a big move?
The honest answer:
I’ve watched the GDPR feed a FUD fountain of the most spectacular and destructive kind
When I look back on later years of my InfoSec career (and the considerable time I spent writing about, researching, and networking with folk from all specialisms), six things stand out (things I’ve written about at length. Links point you to some related posts):
- FUD and economic short-termism provoking over reliance on technology (vs investment in education, recruitment, collaboration, realistic planning, and meaningful communication). Causing gaping holes in the budget, effectiveness, and credibility of many security functions.
- InfoSec risk management, the critical bridge between the board and the coalface, remaining a country mile away from making useful and actionable sense to most of the right people.
- GRC programmes (e.g. Data Governance, PCI, SOx, Supplier Governance) hitting the budget/time/credibility rocks. Desperate for an injection of risk sense to scope and prioritise work and remediation.
- Security and related functions operating in silos and the wrong risks landing in the wrong places.
- Top priority status periodically given to ‘data risk’. Gaps analysed and plans made to understand sensitivity, whereabouts, controls, incident management, and/or management accountabilities…but few having the appetite to take on that challenge effectively.
- An overabundance of advisors with mega per diem price tags arriving to save the day…and leaving businesses (most suffering from fallout caused by one of the above), with impractical benchmarks and plans for a plan.
Big challenges (not, I hastily add, applicable to all businesses and advisors) I dedicated huge quantities of blood, sweat, and tears, to tackling.
It was often a truly uphill struggle, given most things on my list are created (or at least perpetuated) by deeply embedded cultural factors and facts of business and economic life. A struggle that made concrete wins special, taught me hugely valuable lessons, and proved these things can be fixed with the right inclusive approach…and enough time.
Then, as my focus shifted to Privacy, something became starkly obvious: Data Protection functions, as they scale to meet current GDPR requirements, are at immediate risk of hitting the same blockages, communication challenges, and cultural conundrums.
“A shake up that’s prompted a vendor feeding frenzy. One that risks more seismic cracks and collapses than examples of constructive progress”
Are you at risk of wasting GDPR opportunities?
After beginning this shift, while the media reported a view of global security and politics that provoked a familiar and periodic urge to move to an unconnected cave (Swift, Brexit, Ransomware, the holey IoT, etc), some basic truths about InfoSec and my relationship with it crystalized:
“The core challenges, while driven by laws and legal compliance, are centered on making and scaling the right effort. Effort to identify and close compliance gaps relating to the most sensitive and most at risk data assets”
- It’s all about, with only rare exceptions, the data.
- Vulnerability and threat information (and therefore risk information) is next to useless if you don’t understand the assets (usually data assets) potentially impacted.
- The data that matters most, almost invariably, is personal
- The thing that motivates me, more than anything else, is reducing the risk of harm to people potentially impacted by accidental or malicious data disasters
- My partner aim, motivated by personal and professional experience, is to ensure we support agile design of privacy protecting and secure solutions. Especially systems, tools, and processes used to analyse and share data. Our future prosperity and wellbeing (especially in the world of healthcare) depends on it.
- The misfortune-reducing work that most floats my boat involves unpicking risk, regulation and law (yes, I’m super fun at dinner parties), to create realistically scoped, practical ways to make concrete and sustainable progress.
- The most valuable use of my communication skills is to paint the compliance and risk picture in a way that makes real business and ethical sense. Sense that will encourage the right stakeholders to accept accountability and come along for the ride.
- The best current context for all of that is the global GDPR-driven motivation to understand the need (and in most cases take action), to create a safer space for our (and our children’s) virtual and physical selves.
THAT’S why I made the shift to Data Protection and Privacy. The frequently underfunded, under resourced, and historically overlooked corner of businesses. A corner getting a brutal shake up…a 4% of global revenue sized shake up. A shake up that’s prompted a vendor feeding frenzy. One that risks more seismic cracks and collapses than examples of constructive progress.
“The solution does not, and will never, come in a box”
The core challenges, while driven by laws and legal compliance, are centered on making and scaling the right effort. Effort to identify and close compliance gaps relating to the most sensitive and most at risk data assets.
Boxes, boxes everywhere, but solutions in short supply
The potential to waste this huge opportunity is very real. The solution does not, and will never, come in a box. Budget busting tools quickly rebranded with a GDPR tagline (DLP, InfoSec GRC, Cyber solution A, B & C), won’t make this happen. They can collect, collate, tame, and track information, but not without requirements defined to reflect locally applicable controls and characteristics of local data. Ditto for configuration and tuning. They can report problems, but problems won’t get fixed without a data relevant risk rating and clearly defined data protection accountability. So no, boxes won’t fix this. Dedicated people will.
Dedicated people with often unsexy solutions that give the right stakeholders a clear top down, inside out, and bottom up view of your data universe, along with related gaps and opportunities. People like Karen Lawrence Öqvist, founder of Privasee, the Swedish business I’m now proud to be part of. Someone who gets it. Someone (like me) with long experience creating workable ways to tackle huge GRC challenges, plus widely respected and deep knowledge of the specific fun you can face in the worlds of data protection and privacy.
Ensuring the right stakeholders manage the right Data Protection risks
We know that folk closest to individual data assets often don’t have the means or clout to fix issues caused by centrally administered, business-wide, and separately owned controls (e.g. access management, incident management, change assurance, supplier governance, consent acquisition, privacy notice creation, privacy notice delivery, data transfer practices), so Privasee have built in the means to allow the right stakeholders to concurrently manage both strategic and data asset level risks.
Data Protection…not cybersecurity v2.0
We know that Data Protection and Privacy are not the same thing as Cyber or Information Security, despite an acknowledged dependence. That’s why Privasee tools, templates, and processes are not repurposed from InfoSec GRC, audit, or more general risk management. They are built to be fit for a Data Protection purpose. Recording a view of data asset protection through the lens of the core requirements of the GDPR (already close related to principles in our 1998 Data Protection Act). Providing means to analyse and report collective findings in a way that reflects likely areas of audit, regulatory, and legal focus.
We know that the GDPR is a benchmark, not a guideline. So practical guidance is built in from mapped international data protection management standards, like ISO 29100.
We know that Brexit has set the proverbial cat amongst the legal and regulatory data protection pigeons. You all know UK businesses still need to act if they plan to do anything with personal data belonging to any European citizen after May 2018, but some are waiting to find out how that will be reflected in our local laws (pretty closely if our new ICO Elizabeth Denham gets her way).
We also, as most folk are aware, won’t be out of Europe until well after the 2018 GDPR enforcement date (our acting PM controversially revealed Article 50 looks set to be triggered in March 2017). IF – a big ‘IF’ – that’s not successfully challenged by parliament and we exit 2 years later (some commentators have said it could take up to 10 years. After all, no-one’s ever done this before), it means at least 10 months bound directly, for all personal data processing, by the GDPR.
During that time, any UK firm reporting an incident impacting European and/or UK citizen’s data could (depending on your opinion on likely EU impartiality), have a big blue and gold-star-ringed target on their backs.
Privasee solutions respect that. The bankable intelligence about the status of your key data assets won’t automatically need to be reassessed after any Brexitish surprises (and when you do, as you should, regularly refresh assessments, it will be a vastly simplified task). On the contrary, what we can help you produce will signpost how and where to agilely flex processes, notices, and controls as GDPR and local requirements crystalize. Plus, it will strengthen your defense if something does go wrong.
Bankable quick wins and data asset intelligence
In short, we get it. It can be an overwhelming prospect, but with expertly applied common sense, defensible scope definition, and the right tools, it can be tackled…affordably…one Privasee Seal and hour of meaningful education at a time. Rapid real progress, raised awareness, defined accountability, and remediation plans ready to show any client or regulator who may come calling.
So, whether you are a finance firm, healthcare provider, software vendor, legal firm, clinical researcher, retailer, or a consultancy firm looking for a reusable model for your own GDPR offering, do drop me a line (firstname.lastname@example.org). We are constantly developing extra value-add features (for example, the Privacy Tracker cloud assessment tool, and other tailored/As-A-Solution offerings to suit small, medium, and large budgets), and want to invite you to join us and our existing European clients on this journey.
I’ve confidently staked my career on the fact this makes practical sense, and I’m willing to stake my reputation on the fact you’ll agree…
…or (on the off chance you initially don’t) we’ll build what we do into something that will change your mind.