I was at a recent IDC security leaders’ dinner where the topic of GDPR came up again, with discussion on perceptions to it. The question was whether security leaders see it as a “glass half empty or full” scenario:
Do you see the regulation as an opportunity to embrace the opportunity to review and evolve your cybersecurity capabilities to leapfrog today’s requirements, building something that can scale for the future? Or is this another regulatory burden that companies must “get through” to move on to the next daily challenge?
Having been a strong advocate of the opportunities GDPR provides for the last couple of years, I’m still struck by the variety of emotional responses I get from security leaders when discussing the legislation. I draw the parallel to the five stages of bereavement.
For many the first response is denial. I’m struck by how many still either don’t believe it will impact them, or don’t believe penalties will be applied; therefore, they don’t need to take it seriously (at which I’m struck by why they don’t see the societal value). The reality is that, no matter how much we chose to ignore GDPR, it is happening; and we must make the positive decision on whether we choose to embrace it or not. Typically getting through this emotional state is a challenge of education.
This leads into the next stage of anger, which I would exemplify through the statement of “Just tell me what I need to do!”. Unlike standards like PCI, which is an industry-lead requirement that is very prescriptive (you must have X & Y), GDPR contains very few clear technical definitions. For example, what is “state of the art” or “security by design and default,” and when does a breach really start? Security practitioners like things black and white; the regulation is shades of grey. It requires each of us to work across our business teams to interpret and define exactly what it does mean to our business, and how we quantify and qualify this both to our business and third parties.
All too often I’m seeing this lead to bargaining. To quote one instance, “We have been working with our legal team and will argue the definition of a breach does not apply effectively”. Whilst I’m sure a few will gain some early successes with this, to me, it feels like swimming against the tide. I can only expect definitions to be tightened where needed, but the underlying intent of the regulation is clear: protect citizens’ personal information and drive confidence in the use of technology in today’s society.
Essentially, at some stage, most go through depression (the cup half empty, which is, “This is real and happening, and you can’t ignore it or wriggle around it”). This leads to the reality that we need to understand just what the gap is between where we are and where we need to be, gathering the budget and support to achieve this within the business. This is the point to switch to the half-full cup, if you haven’t already. How often do you get the opportunity to step back from the daily cyber grind and review and re-architect with an eye to the future? Most of us are stuck with a lot of legacy that this is a perfect opportunity to phase out.
The reality is that, whether we like it or not, we end up at acceptance: It is happening; GDPR goes live in 2018, and any one of our businesses could be held to account either as a result of an incident or, I suspect for many the most likely cause will be, a third party in your supply chain requesting evidence of your compliance as they look to achieve their own. I can share with you that I'm aware of companies already getting such requests.
So, what are the takeaways here? All too often cybersecurity is treated as a technical challenge. Yes, we are improving in the social attack aspects (social engineering/the insider attack). But in this instance, there is a human aspect we must factor in. As you map your business strategy to adhering to the new GDPR legislative requirements, you need to build in time for your own emotional journey, as well as realize that others in the business also need to go on their own emotional journey. Consider what you can do to help short circuit this; get educated and discuss with your peers both inside and outside your own business. Don’t assume that all your stakeholders are at the same point of the emotional journey you are, but take the time validate where they are and how you can nurture them through to maturity. GDPR is coming; it’s a positive opportunity to improve our own cybersecurity capabilities and a pivotal change to ensure confidence as we become an increasingly digital society.