Why GDPR makes even infosec practitioners anxious
When it comes to being confident that your organisation will be compliant with the General Data Protection Regulation by 25th May next year, there are certain functions you might expect to have a positive view. Information security, for example, ought to be chief cheerleaders for their businesses with a firm, “we got this”. Yet only 32% express the belief that they will have it under control in time, according to a survey carried out by ISACA among its members, all of them directly involved in the management and control of information.
At its CSX 2017 event in London this week, GDPR was leading the agenda and attracting as many concerned questions as it was getting clear answers. Despite sitting at the very heart of a key component for compliance - and this might paradoxically be reassuring to other functions who are also wrestling with the Regulation - the challenges are perceived as being complex, overlapping and difficult to resolve.
“In large organisations, it is hard to identify where personal identifiable information is stored and processed,” admitted Graham Carter, corporate IS risk and compliance manager at ABB, during a panel discussion. “You need teams in every country where you operate to identify it which can be a pain. It goes across multiple departments, from legal to lines of business, to understand the full chain. It is a big challenge to get to that.”
“IT doesn’t have its hands around many [key] areas.”
What GDPR is forcing organisations to recognise is that their sprawling use of technology has opened up a new risk dimension (and potential attack surface for hackers and bad actors). The rush to adopt new solutions in order to launch digital services means data is now spread across a huge range of systems, many of which are not properly documented or controlled. “IT doesn’t have its hands around many of those areas,” noted Carter.
If technology is part of the problem with becoming compliant, then many are hoping it will also be part of the solution. Innovation by vendors is leading to point solutions for many of the specific demands made by the Regulation.
But Christos Dimitriadis, director of information security at Intralot and past board chair of ISACA, told DataIQ that, “regtech will be beneficial, but it addresses only a fraction of the problem because technology itself is only a small aspect of GDPR. It is about protection of data, not just security.”
That difference was one that many at the conference were struggling to get to grips with. Given the surge in cyber-attacks, infosec professionals have been very focused on issues like encryption, firewalls, two-factor authentication, identity management and access monitoring. Some or all of those play a part in compliance, yet still do not make an organisation compliant. Data protection brings to bear a conceptual - even philosophical - framework in which the way personal information is thought about needs to change.
Fortunately, according to Dimitriadis, “what ISACA has is fully applicable,” not least its COBIT framework for infosec projects and it is working on a specific set of GDPR guidelines which are planned for launch in January 2018. Individual certification is another critical aspect of its efforts to help members with the rising demand for Data Protection Officers driving a search for appropriate credentials which the association is looking to support.
“The most frequent question asked is finding people to work in data protection.”
The International Association of Privacy Professionals (IAPP) is in a similar position, as Paul Jordan, its managing director for Europe, explained: “The most frequent question we get asked at IAPP is about finding people to work in data protection. That goes right across enterprises and territories.”
There are some 28,000 people working as DPOs under its current, significantly less senior and demanding definition. IAPP estimates that GDPR will require 75,000 more to be hired across the European Union. “Where are we going to find them? It is very difficult to get people to fulfil that role in the market,” noted Jordan, not least because GDPR-compliant DPO is significantly more senior, independent and highly-resourced that current practitioners have tended to be. “They need to understand the law and be able to translate it into business application,” he said. “The independence of the DPO role is difficult for companies to grapple with - we are seeing a lot of reorganisation to address that.”
Another significant conceptual issue within the Regulation which infosec professionals are worrying over is the difference in stance it takes compared to many other industry regulations. As Carter pointed out, “the premise of GDPR is around preventing harm to data subjects, not the business. That is a very different mindset and way of working and different areas of potential harm need to be developed into scenarios.” These might include the risk to an individual from identity theft, financial loss or even reputational loss as a consequence of a business failing to protect their data in the right way.
“We are seeing the breaking of silos between information security, risk, compliance, IT, governance.”
“When you build your risk register, you have to think of scenarios for the individual, not the company,” he emphasised. One key change is the evoluton of privacy impact assessments, which are a purely voluntary document, into data protection impact assessments, which are legal documents required for any process involving high risks, sensitive data or PII. As Carter noted, there is currently no guidance available around how to put these together.
For Dimitriadis, for all of the challenges which the Regulation presents, there are also significant upsides. “We are seeing the breaking of silos between information security, risk, compliance, IT, governance. They were operating on their own and GDPR is driving them to work together,” he said. That can only be a good thing for all organisations if it brings about better, more co-operative and consistent working practices.
He also believes it important to see beyond 25th May. “We have seen an explosion of services around GDPR, many of which address it as a one-off. But data protection is not a project that will start and finish, it is evergreen. Organisations need to establish the framework and take this seriously.”
When the 2018 CSX event rolls into town, ISACA is hoping that, not least with its help and the efforts of its members, the first five months of doing business under GDPR will have been constructive and positive, rather than resulting in the digital economy grinding to a halt. For most at this year’s conference, the belief is that there will have been a couple of significant fines imposed early on - but also a hope that it will only be a couple.