Photo Credit: ucumari photography Flickr via Compfight cc
Over the past 30 years, information security (IS) been difficult to sell into organisations because, however important it is, it is less urgent than other projects – at least until it bites. IS traction has always been greater when its mandate has teeth.
Teeth have often been provided by parallel (and often subordinate) disciplines which create challenges for which the information security disciplines provide a solution. Payment Card Security was one such discipline, relatively flawed as a security standard (at least in the early days), it was nevertheless backed up by sanctions and as a result gained traction, if over a partial scope.
Looking ahead – certainly for those of us in the UK and Europe, we have another discipline stalking towards us.
The General Data Protection Regulation (GDPR) is an impatient tiger. That is, it has many more teeth and much less patience than its predecessor, the comparative kitten that is the Data Protection Act. The GDPR becomes effective in May 2018, and in theory, most organisational boards, regardless of their sector and size, should have considered the implications of its enactment and their level of exposure by now. But this is by no means the general picture; and failure to understand the implications risks a thorough mauling from this tetchy big cat.
GDPR will require us all to be able to show that we comply with the principles of the regulation. The implications here are not insignificant.
It gives Data Subjects – that’s us – significant rights to demand how our data is managed, including a right to be forgotten. It imposes mandatory high tempo reporting of breaches and it also carries punchy fines for those organisations that fail to fulfil their obligations. These can be up to £20m or 4% of global turnover.
The risks to business are exacerbated by the fact that GDPR finds us in a dramatically more complex information environment than its predecessor. It is often said that the amount of data in the world doubles every two years. In addition to this, compromise tools are more accessible and the illicit market for personal information is booming. Meanwhile, and very significantly, society expects much more from data controllers and processors, Chief Information Security Officers (CISOs) and Information Security Managers (ISMs).
GDPR will have different implications for different organisations, but regardless of what we do, how big we are or what sector we operate in, we all need to know some key facts about our data. We must know precisely what personal data is held, where it is and what plans are in place to access it. We also need to manage it correctly and ensure we provide the appropriate protection.
If you can honestly say you are confident that you have achieved that, then well done you. If not, then now is the time to act. This is a board level challenge, and if we evade our responsibilities, it is a pretty sure thing that we will be found out.
This kitten has been bred to have teeth!