The General Data Protection Regulation aka GDPR has been activated and with it, questions from those working in cyber security. Not least, how the directive will impact their role within an organisation. With so many different domains within GDPR, how does it relate to cyber security and what should cyber security professionals be aware of?
Cyber defence advisor, Cameron Brown, asserts that the key point to be aware of “is that data protection and data privacy require a multidisciplinary team to really address the needs or fundamental tenets of GDPR.” This brings in the need for internal and external experts who can merge their skillsets and experience for the greater good of an organisation. To navigate the issues of the regulation, from data inventory and mapping right down to communication and supervising authorities, businesses need to engage with the processors of technology, the policy drivers behind the technology and the people working to secure the technology.
The Importance of Teamwork
“I think to do this effectively,” says Brown, “you need a cross-functional team to bring all the different knowledge to the table.” With the new European data protection directive changing the face of business as we know it, there has never been a more critical time for a united front. Put simply, everyone in an organisation must be on board, informed and proactive. Everyone from the leadership at board level; to the CIO, who will contribute their understanding of what’s happening with data across the organisation; the CISO who’s dealing with issues like application security, which leads directly into GDPR; and the DPO (Data Protection Officer).
Brown reminds us that in addition to these central roles, a firm’s legal and compliance teams must also have a seat at the table, along with the information security practitioners. “What that really means is you can’t just leave it to the lawyers to ensure compliance with GDPR,” says Brown, “you need particular security team members to define what the risk is.” This comes down to detailing the risk on paper, literally, with a record of processing activities in addition to implementing technical controls and measures to ensure adequate privacy. So cyber security professionals and compliance professionals must work together to ultimately mitigate the risk presented by non-compliance with the regulation.
“It’s really a practical endeavour, it’s not something you can put in a policy and then run some training with the users and assume its job done,” says Brown. The GDPR may appear straightforward but what it means for businesses goes beyond the simplicity of being penalised for mishandling personal data. This is why, as Brown explains, there is a need to work with the technologists in order to understand what the risk is for processing or storing data in a particular way.
Apps are a key issue within the security space. A real sub-discipline of cyber security, they raise a great deal of concern for organisations and product developers with regards how securely they function and whether they have any vulnerabilities that need fixing. “One of the key tenets of GDPR is to ensure that the systems you develop have security by design and privacy by default,” explains Brown, something which is pertinent to the design of applications.
Organisations which process a lot of personal data, particularly through their associated Apps, like Facebook, Google, LinkedIn and healthcare providers, are most at risk of being breached. Cyber security professionals, especially those working within application security, must demonstrate mindfulness when it comes to security and safeguarding privacy. More than that, it is part of their responsibility working in cyber security to generate and sustain awareness of the major risk the GDPR presents to business continuity, in order to maintain compliance.
Controls and Measures
Cyber security professionals need to be experienced in developing and enforcing technical controls and measures. This is particularly relevant when dealing with a systems landscape and a combination of end user devices being used to interact with the servers, mainframe and systems within an organisation. Beyond the laptops and other mobile devices, there are the more fundamental core aspects such as cloud systems and enterprise security systems like SAP. Why the GDPR is important for those working in cyber security roles is because part of that role is implementing technical controls and measures which are adequate and appropriate to protect the sensitive information being processed through those devices and systems. Your goal within cyber security is to keep that information private.
This all relates to how information moves around an organisation, never mind how it can potentially move outside the organisation. Cyber security teams must be able to implement sufficient encryption as well as monitor the types of access people within the organisation have to that information. So what that means in relation to GDPR is you must understand the landscape of your environment and how information moves around it. This insight acts as a precursor to being able to determine the different risks associated with current practice and its level of compliance with GDPR.
Inform, Defend and Protect
It’s necessary to remember that the GDPR is a global regulation. Any business handling information belonging to European citizens is subject to the directive. So organisations must acknowledge the movement of data across international boundaries and into different jurisdictions. “As a result there needs to be an understanding of how that information is being transmitted and whether it’s being transmitted securely,” says Brown. Teamwork is vital to facilitating the tenets of the GDPR, because in instances like this, cyber security professionals will need to work with legal professionals to determine the impact of local legislation on how the information is being handled.
Tied to this is what the GDPR mandates regarding data breach response. “There is a whole section which outlines what you do in the wake of a data breach, which teams to mobilise, how to determine the extent of the breach, who to inform and a data breach response plan,” says Brown. “Within this particular area, you have to involve your incident response teams and your information security professionals. This in order to understand, potentially forensically, what’s happened and to determine where the vulnerability was to try and take positive affirmative action against it.”
What comes next is sharing those insights with key decision makers. It is your responsibility to inform them of the pros and cons and this is where the importance of having that multidisciplinary team comes into play. This is where the question of why GDPR is important for cyber security professionals finds its answer. Within that multidisciplinary team, if you don’t have people who understand the security risk then you are lacking a crucial element to generating a productive conversation. The cyber security professionals within an organisation need to be able to weigh in on what they see as the real risks and then what should be accounted for. Without that, you’re only halfway to a solution or feasible strategy when it comes to dealing with the risk incurred by the GDPR.