UPDATED 11.55 28/01/2019 to clarify nature of funding
The UK will invest in designing and developing secure hardware as well as software to help support enterprise security, Business Secretary Greg Clark said today, announcing a £70 million investment to coincide with Data Protection Day 2019.
The sum will be earmarked from the government’s Industrial Strategy Challenge Fund and be backed by “further investment” from industry, Clark said. It will be allocated to R&D efforts that aim to “design out” many forms of cyber threats by “designing in” security and protection technology/solutions into hardware and chip designs.
The Department of Business and Industrial Strategy told Computer Business Review that businesses will be able to apply for funding through a competitive bid process, with further backing the result of match funding from researchers and businesses that are successful in their bids.
Dr Ian Levy, the NCSC’s Technical Director, welcomed the announcement.
He said: “The NCSC is committed to improving security from the ground up, and we have been working closely with government to promote adoption of technology and practices to protect the UK”.
Dr Levy added: “we hope this additional investment will drive fundamental changes to products we use every day. This is vital work, because improving hardware can eradicate a wide range of vulnerabilities.”
(The NCSC already helps secure approximately 145,000 physical items, such as CDs and data tokens annually, helping secure hardware for government, industry and law enforcement customers.)
The move comes as the government aims for R&D investment to reach 2.4% of GDP by 2027– the biggest increase in public investment in R&D in UK history. (South Korea and Israel are world-leaders on this front, both investing over 4% of GDP into R&D).
Data Protection Day 2019…
HMG was not the only entity making Data Protection Day announcements however.
Companies around the country in the security sector meanwhile were today joining policymakers in flagging awareness of Data Protection Day, which is aimed at raising awareness and promoting good data privacy practices around the world.
Nick Taylor, UK lead at Accenture Security said: “Data Protection Day fast follows not only the first fine under GDPR, but also a recognition from global leaders – in business and politics – that trust is vital for our future. Although the fines are paid in pounds and pence, trust is the world’s currency in which the biggest losses could be felt.”
He added: “Our own research, launched at the World Economic Forum in Davos last week shows that a trusted digital economy could stimulate 2.8 percent in additional growth for large organizations over the next five years, translating into $5.2 trillion in value creation opportunities for society as a whole.”
Elodie Dowling, EMEA General Counsel, BMC Software pointed to four measures enterprises can take to ensure better data protection.
““Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom. Security – DevOps teams must be aligned to maintain security and compliance. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”
Chris Hodson, EMEA CISO at endoint security and systems manager company Tanium added: “On the first data privacy day since GDPR has been in force, there is no doubt that analysing the effectiveness of the regulation will dominate.”
“For me, as a CISO, there are many common misconceptions of GDPR. Firstly, we must remember that approximately 80% of GDPR isn’t directly within the CISO’s purview. The whole business, most notably the DPO, must be responsible for driving data privacy across the enterprise. The security function can certainly help with the “how” of data protection and must be responsible for putting the processes in place to ensure that data is safeguarded. However, we are often very little use in ascertaining the “why” of data collection. For a security team or CISO, it’s about ensuring that controllers (and processors) carry out data processing in a transparent fashion. It’s about making sure that information is not left lying around in servers ad infinitum.”
“That’s why the best defence is a model for qualification and assurance. That means having real-time visibility of the data stored across your network and where threats and vulnerabilities exist. But it also means taking a role in educating our boards, executives, and fellow employees on their role in protecting data: choosing systems and practices that support GDPR principles and maintaining practices that safeguard customer data in the long-term.”