Very unusually for me (being a very busy working Mum of 2) I had two trips away to conferences in the last 2 weeks. The first was RANT and the second was the 2016 IAPP Data Protection Congress (London and Brussels respectively).
The former is almost completely focused on Information and/or Cyber Security. The latter about Privacy and Data Protection (and mostly – very predictably – the GDPR), but they had one thing in common:
Though there was much value in networking and lots of cracking knowledge shared, there was also too much stating of the age old obvious and repeated missing of some crucial points. A set of which I almost tore a muscle trying to grab the mic to shout about. But due to overruns and not getting spotted (or possibly getting avoided when they saw the look on my face) I had to resort to tetchy sounding tweetstorms.
Tweeted the follow ups to that one separately rather than as a reply thread…not sure why
That helped at the time (and now you know to avoid my Twitter feed when you see 1/? at the end of a tweet), but the tetch isn’t wearing off, so here I am with the first of a series of posts trying to explain why:
Ambiguous accountability, planning paralysis, and scoping (in)sanity
Taking that damning sounding list from the top for this first installment, the conversation at RANT about landing accountability for bad security (equally relevant to ropy Data Protection and Privacy) was a shocking illustration of forced or uninformed laissez-faire. What started as a talk about threats, quickly devolved down to a nihilistic whine about bad borrowed code and CXOs who don’t care.
Summarising my partially heckled and subsequently tweeted response:
- Quitting isn’t an option: Bad 3rd party code? Requirements devoid of privacy and security? Holey legacy software or kit woven unsupportably and fatally around new and expanding services? Data transferred hither and yon in pursuit of the latest analytics prize with narry a notice in sight, 3rd parties running uncontrollably and insecurely amok? What’s the answer? I’ll give you a clue: It’s never to give up and give in.
- It’s about ACCOUNTABILTY AND RISK: (sorry to shout – I told you I was tetchy). It isn’t going to work unless you’ve laid the groundwork, and laying the groundwork is tough, but it’s the only diligent and ethical response. First separate giant, persistent and business-wide problems from things quickly and locally fixable.
- Land them: Make senior owners (ones with real business liability, clout, and budget to make a difference – rarely, if ever, the CISO or DPO), formally accountable for those umbrella risks that require a strategic solution + medium term risk tolerance decisions. Find owners at the same level (owners in relevant business operation, change, and/or vendor governance reporting lines), and make them accountable for things that can be fixed as part of BAU improvement, in-flight change activity, or existing vendor agreements. Make sure they know what they are signing up to and actually make them physically or digitally put their name down as owner of assessed risks.
- Keep landing them: Keep putting those risks – the bigger longer-standing issues, and the unfixed run and change risks – on the table with all of the other operational and strategic business risks. Partner with revised risk assessments and plans for remediation.
- Collaborate to remediate: Put CXOs in comparable firms/industries in a room to have a Chatham House discussion about all the big hairy risks they are tolerating, resulting incidents suffered, and solutions they have singly and severally researched or tried. If you have done your risk assessment and communication job, you could create real collective motivation to collaborate to improve persistent and almost universal problems e.g:
- Failure to properly define requirements
- Resulting failure to budget for and build-in privacy and security,
- Over-reliance on technology solutions (often sold with large doses of FUD) that fix bitesize pieces of problems,
- Poor recruiters and crushing per-diem price tags for very variably useful consultants,
- Big vendors releasing beta-ish tools and software and making firms pay handsomely, through support, to fix the known holes they are shipped with,
- More generally privacy and security being seen as a pricey and efficiency crushing bolt-on instead of a critical part of everything we do and deliver.
- Campaign to make risk ownership persist: Finally, and not included in the original twant (tweeted rant – though on second thoughts a tad too much of a typo risk) Attach that formal risk ownership to the role and/or role holder until the risk is mitigated…even if it’s a risky product or service subsequently released to clients and therefore (typically), risk is handed over to the consumer to bear. My heartfelt plea for which I discuss in much more detail here:
Which could equally relevantly be titled: So Your DPO Owns Your Data Protection Risks?
So that’s part of my spleen vented.
Of course, as I said at the start of the list, none of this is easy, but it is achievable. I wouldn’t dare pontificate if I hadn’t worked my proverbial off to apply my own advice in multiple past roles. Some efforts were more successful than others, and where there was less success it was usually down to politics, culture and more specifically risk immaturity. Things I split my focus to work within then improve where possible.
Now to get some much needed sleep, so I can re-stoke the fire for part 2 – A very GDPR focused rant about all the hopeful and misguided waiting and seeing while the May 2018 enforcement clock ticks increasingly loudly in all of our ears.
Image Credit: Copyright: http://www.123rf.com/profile_akz akz / 123RF Stock Photo