Working in cyber security means reaction and flux. The reality of the role is responding to an ever-changing landscape of cyber threats that are only increasing in size and ferocity as we trip towards the much-heralded digital revolution.
This year, cyber firms – along with many others – have the addition of the fast-approaching GDPR (General Data Protection Regulation) to grapple with alongside their existing operations. The implementation date of 25 May is not far away, and for some firms there is much to do.
For many cyber experts, this regulation represents a show of strength from the EU Data Protection Authorities. Firms can face fines for non-compliance of up to €20 million or 4% of worldwide turnover, whichever is higher. On the other hand, some hint that this could be the new “millennium bug”, with too much hype over a catastrophe that won’t materialise.
Despite this, the regulation brings with it many changes that businesses must be aware of in regards their cyber security and accountability. The boardroom will need to adjust, not least because this is where the buck often stops when the worst happens. Despite this, according to recent research, only 2% of FTSE350 boards have a board level CIO, CTO or CDO who could be held to account when the inevitable breach occurs.
The impact of GDPR on Cyber Security Provision
The new GDPR legislation will affect a business’ cyber security efforts in two main ways: the timeliness of reporting and the diagnosis of breach severity.
Under GDPR, a business suffering a hack or losing personal data must report it to the relevant Data Protection Authority within 72 hours of discovery. Lawyers will advise that minor breaches of non-critical data don’t need reporting to the Information Commissioner’s Office, but imagine if a superficially ‘minor’ breach was a precursor to a more targeted, more damaging attack later on? Vigilance is crucial.
Understanding the activity within the corporate environment at an extremely granular level, and interpreting the ‘signals from the noise’ to indicate anomalous behaviour, will be more critical than ever. It can also help ensure businesses meet the requirements of GDPR by monitoring evolving threats and being cognisant of their business network landscape.
Real-time analysis at the network level is a means of achieving this clarity and understanding. Given the range of applications and services that run over a business network, traditional monitoring systems that look for malicious behaviour won’t be able to pick up on superficially legitimate behaviours. From 25 May, understanding the severity of a breach will be crucial. If organisations can’t assess the extent of it, they will be subject to the severe penalties for suffering a breach but may also miss the deadline to report it due to the length of time it takes to comprehensively identify it.
Transparency and Trust
The GDPR is designed to give consumers more control of their data, while making sure companies are transparent and responsible in their handling of it. For example, individuals have the right to request access to their personal data and ask how it is being used by the company. GDPR will also give them the right to withdraw their consent from a company to use their personal data at any time.
This provides businesses with an opportunity to demonstrate a new level of transparency and trust. To achieve this, a business must have the right expertise in house: a data protection officer would be ideal. This role entails taking responsibility for reviewing and understanding held data. They will ascertain why the data is held, how permissions were gained and whom it will be shared with.
The data protection officer will also need the right tools in place to monitor irregularities and work with the CISO network team. Real-time analysis at the network level will give businesses an indication of the files or data that have been transferred or viewed from the network environment. This will support any breach reporting and give an organisation the means to handle the reputational aspect of a breach fallout, and rapidly understand what data has been accessed and how to respond.
The next key part of the puzzle is for a business to have a slick process for reporting and communicating breaches to the regulator, customers and any other affected parties. Practice is the only way to prepare: define a process, rehearse it in simulations with the required decision makers, refine it, and repeat as the business and regulatory environment shifts, year on year. Complement this with a clear and defined internal procedure so all staff know what to do should and who they need to speak to if they notice something awry.
It’s time for CIOs to change
Historically, IT Directors, and sometimes CIOs, were focused solely on operational activities: keeping the lights on, keeping risk low, keeping systems running. Today we are seeing a necessary transition of the role, from functional CIO to strategic CIO.
In a context where the internet and digital technology is transforming all business operations, this shift is vital. Unfortunately, it’s not universal. It takes time for people with the right ambitions, brought up in a context of risk mitigation and operations, to transition into the role of business strategy and vision. Boards will need to focus on supporting the people in these roles to help them define not just the strategic implications of new regulations like GDPR, but also the opportunities that abound from new platforms, channels and technologies. CIOs must evolve, and they will need support and assistance to achieve this.
Fundamentally, we need more accountability and understanding of data and security at board level in the UK. GDPR will help to force companies to consider these issues, but they should be doing so already. Addressing the current challenges and aligning the business strategy to meet these will require guidance from strategic IT leadership: an experienced, strategic CIO or CTO. Make these people pivotal and a business can remain cyber accountable – and survive.
This article is from the CBROnline archive: some formatting and images may not be present.