GDPR

GDPR: Focus on the WHY First, Not the HOW

By far the most common answers to the questions; “Are you worried about GDPR?” and “If yes, why?”, are, in this order:

  1. The fines;
  2. Possible loss of reputation;
  3. What’s GDPR again? (no, unfortunately I’m not joking)
  4. The cost / complexity; and
  5. Board-level accountability (a.k.a. it’s a law now).

While from a business perspective I can empathise with most of these, I have zero empathy for 3. That’s not really the point though, which is that not one person I have ever spoken to about GDPR got anywhere near touching on the actual reason GDPR is here in the first place;

It protects a human right.o.

If you haven’t read the Universal Declaration of Human Rights, and surprisingly few seem to have done so, it forms what I will call a code of conduct for what the United Nations calls the ‘human family’. So while it’s not a global law (per se), and somewhat impractical taken in its entirety, you have to be something of a sociopath not to recognise its basic goodness. It just fits. For example, and most relevant to this blog:

UDHR Article 12

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Fair enough, right?

Therefore, the GDPR starts out of the gate with:

GDPR Recital 1

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

And while the GDPR does go on to say things like; “The right to the protection of personal data is not an absolute right because it must be considered in relation to its function in society and be balanced against other fundamental rights... (Recital 4)”, it’s meaning and intent remain both clear and unwavering.

So if you want to know why fines are in place, why loss of reputation is such a big deal, and why infringements will be breaking the law, look no further. Compliance should go way beyond being just another consideration in your effort to demonstrate corporate social responsibility. This is not just some PR exercise you can fake your way through.

On the other hand, why is this so one sided against businesses? Why do they have to do all the work? I have made no secret of my disdain for people who don’t take responsibility for their own lives and actions. People who blame retailers for using personal data in ways they resent when they were the ones who gave it away without question. Even people who blame criminals for stealing their identity when it’s the victim themselves who made it possible by posting their entire life on social media.

When was the last time you read Google’s T&Cs? Or iTunes? Or anyones? No, I haven’t either.

I have long contended that your privacy is a currency that you spend for the conveniences you crave. GDPR is there to make the risks of spending it far more transparent. Or as Angela Boswell (a privacy lawyer, DPO, and GDPR implementation lead for her organisation) puts it; “What GDPR intends is to put the choice of ‘if’ and ‘to what extent’ back in the hands of the data subject.

So while organisations will have a lot more responsibility moving forward, you should still do your homework before sharing personal data.

But in the end, the main reasons it’s the businesses who are now [mostly] responsible for protecting people from themselves are clear. For years, many businesses who should have been guarding your privacy, weren’t. And those businesses who were supposed to protect the data they had, weren’t. Not even close. This will all change under GDPR.

In theory however, the businesses who were already doing the right thing are [for all intents and purposes] GDPR compliant, it’s only those described in the paragraph above who now have a really tough time ahead. GDPR is and extension of, and replaces the Data Protection Directive (Directive 95/46/EC) which has been out for 22 years! You really should not be starting from scratch here.

Depending on your business, GDPR might get tricky as you progress through it, but every organisation starts out the exact same way: By mapping your business processes (at both the individual asset and ‘asset interdependency’ level). This does not require a lawyer, and isn’t something you should not already be doing. If you don’t even have this in place, you will likely never be able to demonstrate the appropriateness of the ‘extent and proportionality’ of your data processing should things go wrong.

If I was a supervisory authority (e.g. the ICO here in the UK) I would reserve my biggest penalties not for those who aren’t compliant, or even necessarily those guilty of a minor infringement, it would be for those who have done nothing.

If that’s you, you’ve already wasted ~13 months of the 2 year run-up to GDPR’s application. There will be no ‘grace period’ after May 25th 2018, you’re IN the final stage. So you only have ~11 months left before the penalties can be applied. You must start asking the right questions of the right people now, and if you don’t know what and who they are, I suggest that’s where you start.

This is very basic, but it’s a beginning; Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now

[If you liked this article, please share! Want more like it, subscribe!]

 

Recruiter

How to be a GREAT Cybersecurity Recruiter

To be clear, I am not, nor have I ever been a cybersecurity recruiter. I’m not even saying I have what it takes to be one. What I’m saying is that, like cybersecurity itself, being a recruiter is very simple. Bloody difficult, but simple nonetheless. What’s more, cybersecurity recruiting is also about People Process, and Technology. Always in that order, and luckily to only technology you need to be a great recruiter is a phone and a laptop.

So while I cannot talk directly about the challenges faced by recruiters, I have however been on the other side of the process as both a candidate and a hiring manager. I can say that in almost 20 years I have yet to meet a recruiter for whom I would go out my way to recommend. Not one. In 20  years.

Not. One.

So if you are a recruiter who has engaged with me in the past, yes, this applies to you, without exception. If you want to know why, read on, and then be honest with yourself. Did you really provide the kind of service I describe below? Do you now?

The most frequent piece of advice I give anyone new to cybersecurity is to take your ego out the equation. That may sound odd coming from me, but even though I know a lot more than my clients about cybersecurity, it’s not about me. Of course I know more than my clients, that’s why they hired me! It’s about using my knowledge for the client’s benefit, not for appreciation, and certainly not for money. Both of those things should take care of themselves if I did my job correctly.

Again, this is no different from what you should be doing as a recruiter.

As a recruiter you have not one client, but 2, regardless of whom you represent; the candidate, and the hiring company. While this makes your task twice as difficult as mine, what you do is no more complicated. Like it or not, you are in the service industry, and neither the candidate nor end customer care what you want. But if that’s all you care about, you will rightly fail. Harsh, yes, but you chose this career.

Anyway, here’s my advice for what it’s worth.

How to be a Great Recruiter.

  1. Know what the hell you’re talking about – No, you don’t have to be an expert in cybersecurity, but there’s a very good chance the hiring company isn’t either. They will ask the wrong questions, it’s your job to give them what they need, not what they asked for. If you’re representing a person, you need to know their skill-set enough to determine a good fit. This means you have know what cybersecurity actually is, and no, not just the buzz-words and acronyms.
    o
  2. Know what the candidate wants – Like it or not, you have a responsibility to your candidates to help grow their career. This is their livelihood, and they trust that the power you have over their success is not misplaced. If all you care about is getting them off your plate and on to the next candidate, you are betraying their trust. If you don’t see you candidates as lifelong relationships, why are you doing this? Go sell used cars instead.
    o
  3. Send CVs that have been PROPERLY vetted – It’s tempting to scattershot all of your ‘cybersecurity expert’ CVs at every cybersecurity related job opening in the hope one sticks. Don’t. Do you homework, and if you don’t have someone that fits, pass. As a hiring manager I dismissed recruiters that consistently wasted my time. Earn the right of first refusal by being totally candid, that’s the most you can ask for with the amount of competition out there.
    o
  4. Provide unvarnished feedback – No matter how bad the feedback, pass it on completely unvarnished. If you don’t have the courage to do that, at least provide SOME feedback. I’ve lost count of the number of times a recruiter was all over me while I was still a viable candidate, then completely disappeared when it fell through. Obviously I didn’t get the job, which was bad enough, but for me to have to work that out by myself over the course of the next few weeks is unconscionable. While you may not be able to help your candidate from screwing up the next time, you’ll at least have a candidate who’ll talk to you again.
    o
  5. STAY in touch – Careers in cybersecurity can change on a dime, if you don’t maintain a relationship with your candidates you will become worthless. I’m not saying call every day, but is once a month too much to ask for a 30 minute catch-up? If it is, again, why are you doing this, you’re supposed to actually like people. Besides, if I trust you, who do you think is going to get all of my referrals?
    o
  6. Be pro-active – As a recruiter, you have unparalleled access to the demands of the market. What possible reason could have for not feeding that back to your candidates? By steering them into fields of high demand you are helping both them, and yourselves.
    o
  7. Love what you do – No-one wants to work with someone who could not care less about what they do. Love it, or get out.

Recruiters in every field have a horrible time fighting against their negative image. An image they have earned as a profession from being so filled with dross. Unfortunately cybersecurity is getting that way thanks to ambulance chasing vendors. Now combine the two; cybersecurity recruiter. The odds are against you, but it strikes me that anyone encompassing the above would be a beacon in an otherwise dismal landscape.

For those who have the temerity to ask for exclusive deals up front, try earning it instead. Given the state of recruiting these days it should not be that difficult.

Finally, at the end of my blog; Cybersecurity Recruiters, The Gauntlet Is Thrown! I stated my ultimate purpose was to find the great recruiters I know are out there.

I’m still looking.

[If you liked this article, please share! Want more like it, subscribe!]

Change

Cybersecurity Professionals: Don’t Change by Not Changing at All

Yes, I stole this line from Pearl Jam’s 1993 song; ‘Elderly Woman Behind the Counter in a Small Town‘. But in my defence, I have always loved the line and I did wait for almost a quarter of a century before I stole it.

The very simple, yet extraordinarily powerful message is one that applies equally to your personal and professional lives. Though I for one have never believed that you can keep your work and home life separate. They overlap in just too many ways. We used to have communities to fulfil our Maslow’s sense of belonging, now we have the companies we work for. We used to derive our sense of self-worth from taking care of our families, now it’s from a big annual bonus, a cheap award, or worse, a title.

But I digress. Already.

In a previous blog; So You Want to be a Cybersecurity Professional, I posited that you really only have 2 career choices; 1) specialise, or 2) generalise. “You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.”

Unfortunately, if you’re not careful, both of these choices have a significant downside; if your knowledge stands still, your skill-set will become obsolete. As technology continues to advance, and the corresponding social issues (privacy for example) become more complicated, cybersecurity professionals have to adapt to an ever-changing array of requirements. While I find the vast majority of job descriptions ridiculous in the extreme, you only have to look at what employers are asking for to see the writing on the wall.

In Europe, for example, if you can’t speak at east relatively competently about technology issues as they relate to the GDPR or even PSD2, you are not setting yourself apart. Not in a good way at least. And if you are not adapting to the current cycle of distributed processing (i.e. The Cloud, containers, FaaS and so on), then your ability to administer physical assets is not likely to take you as far as you’d like.

I have never hidden my disdain for our over-reliance on IT/IS certifications. But even I find myself back in the study/test cycle in an attempt to render my skill-set a little more relevant. I have signed up for both the Certified Information Privacy Technologist (CIPT) and the Certified Information Privacy Professional / Europe (CIPP/E) in an attempt to make my individual ‘service offerings’ more attractive. I’m not saying that the certs will do that by themselves, you have to actually read the regulations to which they refer, but it’s a start. So is talking to people in related fields.

I would say that it’s the specialist career which is actually the most at risk, especially given the ridiculous number of ‘new’ technologies that have hit the market. Almost on a daily basis it seems. Tie yourself to one of these ‘acronyms‘ and it’s unlikely you’ll be relevant for more than a year or so. Unfortunately, cybersecurity is not so much an evolution of responsible services, it’s a cycle of vendor-defined demand generation predicated on buzz-words and F.U.D.

Perhaps I’m only seeing all this from my own ‘generic’ and slightly jaded perspective. I have largely removed myself from individual security technologies to focus on the basics. While the basics (or as I call them, the Core Concepts) of security will never change, even these need to be refreshed in light of evolving business needs and priorities.

In the end I think a lot of our problem in cybersecurity is that we think we’re a department alone. I believe we are the exact opposite, we are the one who need to be in on everything. After all are not data assets the crown jewels of most organisations?

With that in mind, here’s how to embrace change:

o

  1. Read – Most of us subscribe to things of direct interest, but few of us subscribe to things outside of that limited sphere. Like it or not, IT and IS departments are only there to enable, so you need to know what impacts other department like finance and legal if you want to stay ahead of the game;
    o
  2. Talk to People – Probably the hardest one for me, but IT and IS do not exist in a vacuum. What scares the crap out of all the other departments? You’ll find out eventually, don’t let it be the hard way;
    o
  3. Training & Certification – While you don’t need to go the whole hog and collect another almost meaningless acronym, at least get yourself trained by an expert in something with which you are currently unfamiliar. GPDR for example, or PSD2 if you’re in the payments space, or even PCI if you’re really desperate;
    o
  4. Self Reflection – Unless you’re one of the lucky ones who’s in a career they chose, you likely found you way into cybersecurity by accident. Or in my case, a comedy of errors. This does not mean it can’t be a perfect fit, you just have to be extra aware of your talents and skills to not find yourself in a position for which you are wholly unsuited;
    o
  5. Find a Mentor – This does not mean you have to get a hands-on mentor, even following a person whom you respect on LinkedIn is a good thing. Find someone(s) who are were you want to be, they’ve already made a lot of the decisions you are going to face.

History is full of people who could not imagine becoming obsolete. I’m going to go out on a limb and say that these people ended up with significant regret.

[If you liked this article, please share! Want more like it, subscribe!]

Right to Erasure

GDPR: Does the Right to Erasure Include Backups?

I received what, to me, was an interesting question the other day (thank you Gareth), which was [paraphrased]; Does the GDPR’s Right to Erasure (a.k.a. The Right to be Forgotten) include every instance of the data, including those contained in backups?

The short answer is yes, it does, but that is simply not what is going to happen in the real world. I can see three possible arguments organisations could use to avoid making the potentially significant effort of erasing data subjects from backups:

  1. It’s backed up and therefore not processed – this is negated by Article 4, Definitions – (2) “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    o
  2. Interpretation of the phrase; “…taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures…” – While this phrase, and several similar equivalents, are not used directly in the context of backups (which doesn’t seem to be addressed at all outside the context of ‘storage periods’) it nevertheless suggests the the GDPR has wiggle room. However, to even think about using this argument, you’d better do a Hell of a lot more to make your argument. The word ‘reasonable’ in lawyers terms is built on precedent, in cybersecurity it’s built on your ability to demonstrate a credible and sustainable security program.
    o
  3. Plead ignorance (i.e. We didn’t know we had it!) – This is no different from; “Sorry officer, I had no idea how fast I was going so the speeding ticket cannot apply!”. If I was the supervisory authority, these are the organisations who would be prevented from processing personal data, and/or receive the biggest fines. Not knowing you even had the data in the first place is either laziness, incompetence, or both.

There will absolutely be scenarios where the cost and level of effort necessary to remove a data subject from every system could rightly be deemed ‘unreasonable’. However, in this scenario, the difference between you saying it’s unreasonable and you demonstrating that it’s unreasonable will directly impact the egregiousness of your offence. And if you accept that the penalties associated with non-compliance with the GDPR will be based on the egregiousness of the offence, it follows that the more you do pro-actively the better off you will be.

From my perspective, the only way to do this is to perform what follows below. While this may seem like a lot, not one of these steps is something you shouldn’t either be doing already, or doing in preparation for May 25th 2018.

How to Justify Non-Compliance with Article 17 (for Backups)

Caveat 1: I am in NO way suggesting that this is ‘officially approved’ mitigation, this is based solely on my experience and a little common sense.

Caveat 2: This assumes that Article 17(3)(a-e) does not apply.

Req. 1: Run a Risk Assessment (RA), a Business Impact Analysis (BIA), and a Privacy Impact Analysis (PIA) – Put simply, you cannot decide whether or not fix the problem until you have run these three fundamentals. The RA and the PIA would be the first things I would ask for if I was an auditor, and the BIA would be the first thing I would ask if I was on the BoD.

Req. 2: Get your Policies, Standards and Procedures in order – These represent your culture, your operational baselines and your corporate knowledge respectively. Unless you know exactly what to do, what NOT to do, how to do what you do, and what you’re doing it with, you cannot demonstrate appropriate controls. Ever.

Req. 3: Education: Unlike PCI, where trying to educate most organisations is utterly pointless, privacy is everyone’s problem. Your entire organisation must be made aware of their responsibilities for the protection of personal data, as well as trained on how to report suspected loss or manipulation. Education is by far the best and cheapest way to reduce risk.

Req. 4: Map business processes and data stores – You must know how data is handled in order to understand how and what get stored at the end of the processing. Also, if you cannot show that your current processes enable the enforcement of future data subject requests, then you will not be able to justify keeping the old stuff. You must stop the bleeding.

Req. 5: Determine if current data stores match data retention policies – Part of Req. 2 includes compiling a record of all data retention justifications and timelines for all data types (most notably ‘special categories’). Should your processes for data storage not include a robust methodology for removing old data this will not look good.

Req. 6: Document your plan to remove data over the course of a specific time frame – Not much point trying to explain why you can’t delete something if you NEVER plan to do so. Even if the plan is over the course of 7 years, have one, as it will likely be a negotiation at this point.

Req. 7: Obtain Board of Director’s acceptance of residual risk – If this issue has not made it to the BoD level, I would have significant reservations as to just how seriously you are taking it. If you get audited by the supervisory authority it will not be the IT admins they are talking to.

Req. 8: Tell the supervisory authority – Wait! What!? TELL the supervisory authority, are you stupid!! Perhaps, and I’m not saying this is the right approach in every scenario, but the GDPR is not there to put you out of business, and supervisory authorities are not dictators. Everyone is in the same boat here, we’re ALL learning, so take advantage of the confusion.

As things stand right now, you’ve already had over a year to fix this issue, and you have just under another year before you are, quite literally, breaking the law. I understand the difficulty, but after May 25th 2018 you still have to explain why you wasted the previous 2 years. Every requirement above fits very neatly into 1 or several of Article 83’s ‘regards’ given to individual circumstances;  Negligence, actions taken, degree or cooperation, even HOW the infringement became known to the supervisory authority, all have bearing. The more you can pre-empt, the less the negative impact.

Finally, if you fall for ambulance chasers, or are terrified of the impact the GDPR will have on your business, you clearly aren’t doing what you should be doing. Bite the bullet, hire a lawyer, and get moving on this.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR: Get Your Priorities Straight

GDPR: Forget the Damned Fines, Worry About Staying in Business!

How many ‘news’ articles / blogs / ads have you seen with titles like; “You could be fined up to 4% of your global revenue under GDPR!”  a.k.a “Be afraid and give us lots of money you clueless sap.

I’m seeing it from every online cybersecurity publication, lawyers, cybersecurity vendors / consultants, and increasingly from cyber insurance vendors. I’m even getting spammed from people I KNOW!

It’s more than a little irritating …frankly, it borders on unprofessional.

I can understand lawyers jumping on the bandwagon. The GDPR was written by lawyers, and if you don’t get a lawyer’s input to how GDPR will affect your business, you deserve a 4% fine. Yes, privacy lawyers are expensive, and yes, it’s bloody annoying to spend this money on something that adds absolutely nothing to the bottom line, but do it anyway. At the very least, piggy-back of a business partner that has spoken to a lawyer!

And no, asking your contacts on LinkedIn is not the same thing.

For cyber insurance vendors, I can fully appreciated how tough it’s been to find something to pin a marketing budgets on. Ambivalence towards cybersecurity is legendary. But what I cannot condone is using GDPR’s fine structure to scare organisations into buying a policy that will likely be completely inappropriate. Even choosing the right cyber insurance requires significant due diligence.

As for cybersecurity vendors, I’ve already addressed/redressed them in GDPR and Cybersecurity, a Very Limited Partnership. They simply have no right to bring up a 4% fine in a sales pitch when the maximum fine for data breach is 2%, not 4.

There is a lot more than fines in the GDPR of which you should be aware, but first…

About the Fines…

…borrowing heavily from my previous blog;

It can be assumed that if the maximum fine for ANY infringement, no matter how egregious, is 4% of the annual revenue from the previous year (in the case of an undertaking). That 4% is what the EU considers the maximum for a fine to qualify as “effective, proportionate and dissuasive” (per Article 83(1)). Therefore, a fine of €20,000,000 (for example) would be reserved for any organisation with revenue over €1,000,000,000 annually. Yes, that’s 1 BILLION.

It must follow that if 4% is the maximum, then fines will go down the less egregious the offence. Everything you need to determine the level of ‘egregiousness’ is contained in the 11 lines of Article 83(2)(a) – (k). Words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’ are bandied around, all of which can be answered by you.

In this spreadsheet, I have taken a stab at adding specific questions to each of the (a) – (k) line items. Answer them all truthfully and you’ll get an indication of what I consider to be an appropriate fine based on your annual revenue: GDPR Fine Worksheet. Note: This is based on data breaches only (2% fine structure), and is not based on anything resembling known fact or precedent.

Frankly, it’s not the fines you should be worrying about, as I get the feeling you have to REALLY screw up before they’ll even be considered in the first place.

Worry about the ‘Corrective Powers’

What no-one seems to be writing about are the other so-called ‘corrective powers’ as detailed in Article 58(2) that each member state’s supervisory body will wield. Some of these are far worse than fines, and from what I know of GDPR, far more likely to be put into effect first.

Article 58(2) starts out very reasonably; 58(2)(a), (b) and (c) are:

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; [i.e. be careful]

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; [i.e. smack on the wrist]

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation; [i.e. now do it properly, we’re watching]

..then it gets a little more punitive in (d) and (e):

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; [i.e. now do it properly, or else]

(e) to order the controller to communicate a personal data breach to the data subject; [i.e. tell everyone with whom you do business that you f*&%ed up]

…then there’s the stuff that could put you out of business (assuming personal data is central to it) from (f)  through (h):

(f) to impose a temporary or definitive limitation including a ban on processing[i.e. stop everything you’re doing with personal data, now]

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; [i.e. you can’t do what you do with personal data the way you were doing it]

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; [i.e. good luck getting anyone in the EU to do business with you]

…and NOW the fines:

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; [i.e. not only can we stop you doing business, but we can also fine you]

…and finally, back to the potentially out of business:

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation. [i.e. specific to cross-border, but you’re screwed if this is relevant]

Now ask yourself; can a cybersecurity vendor help you in a scenario where the data is safe but you’re just not allowed to use it? Could cyber insurance replace your ENTIRE business and customer base?

Clearly not, so the only people you SHOULD be talking to right now are privacy experts. Not ones who passed a 75 question multiple choice exam to achieve a Certified Information Privacy Professional (CIPP) acronym, and/or the Certified GDPR Practitioner course, a lawyer. And not just any lawyer, a lawyer who specialises in privacy.

I’m not disparaging the CIPP/E or EU GDPR P certifications, they are actually very good foundations for anyone wanting to ask a true expert the right questions. And if, as per Recital 13; “…this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.”, you are small enough not to have to worry about validation of your practices, maybe someone with these certs is good enough.

It’s up to you, you’re the ones betting your businesses on it.

[If you liked this article, please share! Want more like it, subscribe!]