PCI to GDPR

Going From PCI to GDPR? You Are Starting from Square One

To be very clear from the outset, if you think the PCI DSS is a good ‘stepping stone’ to GDPR, you need to do a lot more homework. Data security represents less than 5% of the entire GDPR, and the PCI DSS is – in my admittedly biased estimation – no more than 33% of a true security program.

I have, for years, railed against the PCI DSS as an inadequate baseline for security, and even the card brands and the SSC have never claimed it be more than what it is; a set of MINIMUM security control related to the protection of cardholder data. Well, except for this ill-advised and rather naive quote perhaps;

People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.

The PCI DSS was written for ONE very specific purpose, and it’s only ego, desperation, or vested interest that would lead people to think it’s anything more.

The reason for this particular blog is reading articles like the two samples below. It’s articles like these that lead organisations who don’t know better [yet] into making bad decisions. They also give cybersecurity professionals a bad name. Well, worse name, unscrupulous QSA companies and greedy product vendors have already caused significant damage.

Article 1, and by far the most egregiously overstated quote [so far] is from an article in SecurityWeek (PCI 3.2 Compliant Organizations Are Likely GDPR Compliant); “Any company that fully and successfully implements PCI DSS 3.2 is likely to be fully GDPR compliant — it’s a case of buy one and get one free.” Given the author’s apparent credentials, he should know better. Since when does the PCI DSS deal with explicit consent, or children’s data, or the right to erasure/correction/objection/portability and so on.

Then, in the very recent article 2; How the PCI DSS can help you meet the requirements of the GDPR – the author states that; “Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover, whichever is higher. Breaches or failure to uphold the sixth data protection principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover (whichever is higher).

No part of the above statement is factually correct:

  1. Just because Article 33 – Notification of a personal data breach to the supervisory authority is included in Article 83(4)(a) – General conditions for imposing administrative fines, it does NOT mean that failure to respond in 72 hours will attract a fine. There are many caveats; e.g. Recital 85 states ; “the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Recital 85)”‘
  2. sixth data protection principle“? – Nothing to do with confidentiality and integrity, assume author meant the seventh principle (security).
  3. Maximum fines for data breaches are 2% (for an undertaking, a.k.a. a group of companies), not 4%.

The author then goes on to say; “The ICO is also likely to treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organisational measures” to protect personal data…” which is clearly not the case. The ICO has always left loss of cardholder data / PCI up to the card schemes, and have already mentioned ISO 27001 in their “The Guide to Data Protection“.

Every article I have read on how PCI helps with GDPR, is at best, hugely overstated, and at worst, full of self-serving lies. I can fully appreciate the desire for cybersecurity companies (especially QSAs) to branch out from the massively price compressed and ultimately doomed PCI space, but to do so in this manner is unconscionable.

Unfortunately if you are falling for this advice, I can safely assume that you:

  1. have little idea of how limited the PCI DSS is, even as protection for the only form of data to which it’s relevant;
  2. have little idea what the GDPR is trying to achieve if you think a bunch of security controls are that significant a component; and
  3. don’t actually know what an ‘appropriate’ security program should look like.

This is actually not meant as a criticism, these things may not be your job, but if you have any responsibility for GDPR, you absolutely must learn to ask the right questions.  I will finish with some reasoning below, but leave to up to you work out whose guidance to take.

PCI and GDPR are very far removed from each other.

  1. Data protection Articles are only 3.34% of the Regulation – yes, I actually worked this out on a spreadsheet. That means the GDPR is 96.66% NOT security control relevant. Of course IT and IT security are important and intrinsic to GDPR, but PCI does not cover anything else other than than those things.;
    o
  2. PCI DSS makes no mention of the need for Governance – PCI compliance is almost invariably an IT project, and while this is obviously wrong, does not prevent organisations from achieving compliance. In GDPR, the IT folks have absolutely no idea where to start. Nor should they, IT/IS people aren’t lawyers and they do not control the organisation’s direction, they are business enablers who do as bid by senior management. GDPR requires a team effort from every department, which is exactly what Governance is.;
    o
  3. PCI DSS is about compliance to an already defined standard of security controls, the GDPR requires a demonstration of ‘appropriate security’ measures – For example, what if your annual risk assessment showed that the PCI controls were actually excessive? Could you scale some of them back? No, you can’t. Alternatively, what if your risk assessment showed that they weren’t enough, could your QSA insist that you went above and beyond? Again, no, so what the hell is the point of the risk assessment in PCI?
    o
  4. Only QSAs that started out as security consultants [not the other way around] have the skill-set to provide any help at all. If they were experts in ISO 27001, CoBIT, NIST etc., then yes, they can help you both define and implement ‘appropriate security’. If all they did was pass the QSA exam, the only guarantee you have is that they can read.
    o
  5. The PCI DSS can never keep pace with the threat landscape – It’s already way behind, and with its complete inability to change significantly, the DSS can never represent appropriate security. If the DSS did change significantly, both the card brands and the SSC would be lynched. Millions of organisations have spent BILLIONS on PCI, they will simply refuse to start all over again. GDPR on the other hand has no defined controls, it’s up to YOU to show that your controls meet the measured risk.

In the end, the only way PCI can help with GDPR is to use the assigned budget to do security properly. You will never reach GDPR ‘compliance‘ using PCI, but you will achieve both PCI and GDPR compliance on the way to real security.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR

GDPR: Focus on the WHY First, Not the HOW

By far the most common answers to the questions; “Are you worried about GDPR?” and “If yes, why?”, are, in this order:

  1. The fines;
  2. Possible loss of reputation;
  3. What’s GDPR again? (no, unfortunately I’m not joking)
  4. The cost / complexity; and
  5. Board-level accountability (a.k.a. it’s a law now).

While from a business perspective I can empathise with most of these, I have zero empathy for 3. That’s not really the point though, which is that not one person I have ever spoken to about GDPR got anywhere near touching on the actual reason GDPR is here in the first place;

It protects a human right.o.

If you haven’t read the Universal Declaration of Human Rights, and surprisingly few seem to have done so, it forms what I will call a code of conduct for what the United Nations calls the ‘human family’. So while it’s not a global law (per se), and somewhat impractical taken in its entirety, you have to be something of a sociopath not to recognise its basic goodness. It just fits. For example, and most relevant to this blog:

UDHR Article 12

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Fair enough, right?

Therefore, the GDPR starts out of the gate with:

GDPR Recital 1

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

And while the GDPR does go on to say things like; “The right to the protection of personal data is not an absolute right because it must be considered in relation to its function in society and be balanced against other fundamental rights... (Recital 4)”, it’s meaning and intent remain both clear and unwavering.

So if you want to know why fines are in place, why loss of reputation is such a big deal, and why infringements will be breaking the law, look no further. Compliance should go way beyond being just another consideration in your effort to demonstrate corporate social responsibility. This is not just some PR exercise you can fake your way through.

On the other hand, why is this so one sided against businesses? Why do they have to do all the work? I have made no secret of my disdain for people who don’t take responsibility for their own lives and actions. People who blame retailers for using personal data in ways they resent when they were the ones who gave it away without question. Even people who blame criminals for stealing their identity when it’s the victim themselves who made it possible by posting their entire life on social media.

When was the last time you read Google’s T&Cs? Or iTunes? Or anyones? No, I haven’t either.

I have long contended that your privacy is a currency that you spend for the conveniences you crave. GDPR is there to make the risks of spending it far more transparent. Or as Angela Boswell (a privacy lawyer, DPO, and GDPR implementation lead for her organisation) puts it; “What GDPR intends is to put the choice of ‘if’ and ‘to what extent’ back in the hands of the data subject.

So while organisations will have a lot more responsibility moving forward, you should still do your homework before sharing personal data.

But in the end, the main reasons it’s the businesses who are now [mostly] responsible for protecting people from themselves are clear. For years, many businesses who should have been guarding your privacy, weren’t. And those businesses who were supposed to protect the data they had, weren’t. Not even close. This will all change under GDPR.

In theory however, the businesses who were already doing the right thing are [for all intents and purposes] GDPR compliant, it’s only those described in the paragraph above who now have a really tough time ahead. GDPR is and extension of, and replaces the Data Protection Directive (Directive 95/46/EC) which has been out for 22 years! You really should not be starting from scratch here.

Depending on your business, GDPR might get tricky as you progress through it, but every organisation starts out the exact same way: By mapping your business processes (at both the individual asset and ‘asset interdependency’ level). This does not require a lawyer, and isn’t something you should not already be doing. If you don’t even have this in place, you will likely never be able to demonstrate the appropriateness of the ‘extent and proportionality’ of your data processing should things go wrong.

If I was a supervisory authority (e.g. the ICO here in the UK) I would reserve my biggest penalties not for those who aren’t compliant, or even necessarily those guilty of a minor infringement, it would be for those who have done nothing.

If that’s you, you’ve already wasted ~13 months of the 2 year run-up to GDPR’s application. There will be no ‘grace period’ after May 25th 2018, you’re IN the final stage. So you only have ~11 months left before the penalties can be applied. You must start asking the right questions of the right people now, and if you don’t know what and who they are, I suggest that’s where you start.

This is very basic, but it’s a beginning; Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now

[If you liked this article, please share! Want more like it, subscribe!]

 

Recruiter

How to be a GREAT Cybersecurity Recruiter

To be clear, I am not, nor have I ever been a cybersecurity recruiter. I’m not even saying I have what it takes to be one. What I’m saying is that, like cybersecurity itself, being a recruiter is very simple. Bloody difficult, but simple nonetheless. What’s more, cybersecurity recruiting is also about People Process, and Technology. Always in that order, and luckily to only technology you need to be a great recruiter is a phone and a laptop.

So while I cannot talk directly about the challenges faced by recruiters, I have however been on the other side of the process as both a candidate and a hiring manager. I can say that in almost 20 years I have yet to meet a recruiter for whom I would go out my way to recommend. Not one. In 20  years.

Not. One.

So if you are a recruiter who has engaged with me in the past, yes, this applies to you, without exception. If you want to know why, read on, and then be honest with yourself. Did you really provide the kind of service I describe below? Do you now?

The most frequent piece of advice I give anyone new to cybersecurity is to take your ego out the equation. That may sound odd coming from me, but even though I know a lot more than my clients about cybersecurity, it’s not about me. Of course I know more than my clients, that’s why they hired me! It’s about using my knowledge for the client’s benefit, not for appreciation, and certainly not for money. Both of those things should take care of themselves if I did my job correctly.

Again, this is no different from what you should be doing as a recruiter.

As a recruiter you have not one client, but 2, regardless of whom you represent; the candidate, and the hiring company. While this makes your task twice as difficult as mine, what you do is no more complicated. Like it or not, you are in the service industry, and neither the candidate nor end customer care what you want. But if that’s all you care about, you will rightly fail. Harsh, yes, but you chose this career.

Anyway, here’s my advice for what it’s worth.

How to be a Great Recruiter.

  1. Know what the hell you’re talking about – No, you don’t have to be an expert in cybersecurity, but there’s a very good chance the hiring company isn’t either. They will ask the wrong questions, it’s your job to give them what they need, not what they asked for. If you’re representing a person, you need to know their skill-set enough to determine a good fit. This means you have know what cybersecurity actually is, and no, not just the buzz-words and acronyms.
    o
  2. Know what the candidate wants – Like it or not, you have a responsibility to your candidates to help grow their career. This is their livelihood, and they trust that the power you have over their success is not misplaced. If all you care about is getting them off your plate and on to the next candidate, you are betraying their trust. If you don’t see you candidates as lifelong relationships, why are you doing this? Go sell used cars instead.
    o
  3. Send CVs that have been PROPERLY vetted – It’s tempting to scattershot all of your ‘cybersecurity expert’ CVs at every cybersecurity related job opening in the hope one sticks. Don’t. Do you homework, and if you don’t have someone that fits, pass. As a hiring manager I dismissed recruiters that consistently wasted my time. Earn the right of first refusal by being totally candid, that’s the most you can ask for with the amount of competition out there.
    o
  4. Provide unvarnished feedback – No matter how bad the feedback, pass it on completely unvarnished. If you don’t have the courage to do that, at least provide SOME feedback. I’ve lost count of the number of times a recruiter was all over me while I was still a viable candidate, then completely disappeared when it fell through. Obviously I didn’t get the job, which was bad enough, but for me to have to work that out by myself over the course of the next few weeks is unconscionable. While you may not be able to help your candidate from screwing up the next time, you’ll at least have a candidate who’ll talk to you again.
    o
  5. STAY in touch – Careers in cybersecurity can change on a dime, if you don’t maintain a relationship with your candidates you will become worthless. I’m not saying call every day, but is once a month too much to ask for a 30 minute catch-up? If it is, again, why are you doing this, you’re supposed to actually like people. Besides, if I trust you, who do you think is going to get all of my referrals?
    o
  6. Be pro-active – As a recruiter, you have unparalleled access to the demands of the market. What possible reason could have for not feeding that back to your candidates? By steering them into fields of high demand you are helping both them, and yourselves.
    o
  7. Love what you do – No-one wants to work with someone who could not care less about what they do. Love it, or get out.

Recruiters in every field have a horrible time fighting against their negative image. An image they have earned as a profession from being so filled with dross. Unfortunately cybersecurity is getting that way thanks to ambulance chasing vendors. Now combine the two; cybersecurity recruiter. The odds are against you, but it strikes me that anyone encompassing the above would be a beacon in an otherwise dismal landscape.

For those who have the temerity to ask for exclusive deals up front, try earning it instead. Given the state of recruiting these days it should not be that difficult.

Finally, at the end of my blog; Cybersecurity Recruiters, The Gauntlet Is Thrown! I stated my ultimate purpose was to find the great recruiters I know are out there.

I’m still looking.

[If you liked this article, please share! Want more like it, subscribe!]

Change

Cybersecurity Professionals: Don’t Change by Not Changing at All

Yes, I stole this line from Pearl Jam’s 1993 song; ‘Elderly Woman Behind the Counter in a Small Town‘. But in my defence, I have always loved the line and I did wait for almost a quarter of a century before I stole it.

The very simple, yet extraordinarily powerful message is one that applies equally to your personal and professional lives. Though I for one have never believed that you can keep your work and home life separate. They overlap in just too many ways. We used to have communities to fulfil our Maslow’s sense of belonging, now we have the companies we work for. We used to derive our sense of self-worth from taking care of our families, now it’s from a big annual bonus, a cheap award, or worse, a title.

But I digress. Already.

In a previous blog; So You Want to be a Cybersecurity Professional, I posited that you really only have 2 career choices; 1) specialise, or 2) generalise. “You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.”

Unfortunately, if you’re not careful, both of these choices have a significant downside; if your knowledge stands still, your skill-set will become obsolete. As technology continues to advance, and the corresponding social issues (privacy for example) become more complicated, cybersecurity professionals have to adapt to an ever-changing array of requirements. While I find the vast majority of job descriptions ridiculous in the extreme, you only have to look at what employers are asking for to see the writing on the wall.

In Europe, for example, if you can’t speak at east relatively competently about technology issues as they relate to the GDPR or even PSD2, you are not setting yourself apart. Not in a good way at least. And if you are not adapting to the current cycle of distributed processing (i.e. The Cloud, containers, FaaS and so on), then your ability to administer physical assets is not likely to take you as far as you’d like.

I have never hidden my disdain for our over-reliance on IT/IS certifications. But even I find myself back in the study/test cycle in an attempt to render my skill-set a little more relevant. I have signed up for both the Certified Information Privacy Technologist (CIPT) and the Certified Information Privacy Professional / Europe (CIPP/E) in an attempt to make my individual ‘service offerings’ more attractive. I’m not saying that the certs will do that by themselves, you have to actually read the regulations to which they refer, but it’s a start. So is talking to people in related fields.

I would say that it’s the specialist career which is actually the most at risk, especially given the ridiculous number of ‘new’ technologies that have hit the market. Almost on a daily basis it seems. Tie yourself to one of these ‘acronyms‘ and it’s unlikely you’ll be relevant for more than a year or so. Unfortunately, cybersecurity is not so much an evolution of responsible services, it’s a cycle of vendor-defined demand generation predicated on buzz-words and F.U.D.

Perhaps I’m only seeing all this from my own ‘generic’ and slightly jaded perspective. I have largely removed myself from individual security technologies to focus on the basics. While the basics (or as I call them, the Core Concepts) of security will never change, even these need to be refreshed in light of evolving business needs and priorities.

In the end I think a lot of our problem in cybersecurity is that we think we’re a department alone. I believe we are the exact opposite, we are the one who need to be in on everything. After all are not data assets the crown jewels of most organisations?

With that in mind, here’s how to embrace change:

o

  1. Read – Most of us subscribe to things of direct interest, but few of us subscribe to things outside of that limited sphere. Like it or not, IT and IS departments are only there to enable, so you need to know what impacts other department like finance and legal if you want to stay ahead of the game;
    o
  2. Talk to People – Probably the hardest one for me, but IT and IS do not exist in a vacuum. What scares the crap out of all the other departments? You’ll find out eventually, don’t let it be the hard way;
    o
  3. Training & Certification – While you don’t need to go the whole hog and collect another almost meaningless acronym, at least get yourself trained by an expert in something with which you are currently unfamiliar. GPDR for example, or PSD2 if you’re in the payments space, or even PCI if you’re really desperate;
    o
  4. Self Reflection – Unless you’re one of the lucky ones who’s in a career they chose, you likely found you way into cybersecurity by accident. Or in my case, a comedy of errors. This does not mean it can’t be a perfect fit, you just have to be extra aware of your talents and skills to not find yourself in a position for which you are wholly unsuited;
    o
  5. Find a Mentor – This does not mean you have to get a hands-on mentor, even following a person whom you respect on LinkedIn is a good thing. Find someone(s) who are were you want to be, they’ve already made a lot of the decisions you are going to face.

History is full of people who could not imagine becoming obsolete. I’m going to go out on a limb and say that these people ended up with significant regret.

[If you liked this article, please share! Want more like it, subscribe!]

Right to Erasure

GDPR: Does the Right to Erasure Include Backups?

I received what, to me, was an interesting question the other day (thank you Gareth), which was [paraphrased]; Does the GDPR’s Right to Erasure (a.k.a. The Right to be Forgotten) include every instance of the data, including those contained in backups?

The short answer is yes, it does, but that is simply not what is going to happen in the real world. I can see three possible arguments organisations could use to avoid making the potentially significant effort of erasing data subjects from backups:

  1. It’s backed up and therefore not processed – this is negated by Article 4, Definitions – (2) “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    o
  2. Interpretation of the phrase; “…taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures…” – While this phrase, and several similar equivalents, are not used directly in the context of backups (which doesn’t seem to be addressed at all outside the context of ‘storage periods’) it nevertheless suggests the the GDPR has wiggle room. However, to even think about using this argument, you’d better do a Hell of a lot more to make your argument. The word ‘reasonable’ in lawyers terms is built on precedent, in cybersecurity it’s built on your ability to demonstrate a credible and sustainable security program.
    o
  3. Plead ignorance (i.e. We didn’t know we had it!) – This is no different from; “Sorry officer, I had no idea how fast I was going so the speeding ticket cannot apply!”. If I was the supervisory authority, these are the organisations who would be prevented from processing personal data, and/or receive the biggest fines. Not knowing you even had the data in the first place is either laziness, incompetence, or both.

There will absolutely be scenarios where the cost and level of effort necessary to remove a data subject from every system could rightly be deemed ‘unreasonable’. However, in this scenario, the difference between you saying it’s unreasonable and you demonstrating that it’s unreasonable will directly impact the egregiousness of your offence. And if you accept that the penalties associated with non-compliance with the GDPR will be based on the egregiousness of the offence, it follows that the more you do pro-actively the better off you will be.

From my perspective, the only way to do this is to perform what follows below. While this may seem like a lot, not one of these steps is something you shouldn’t either be doing already, or doing in preparation for May 25th 2018.

How to Justify Non-Compliance with Article 17 (for Backups)

Caveat 1: I am in NO way suggesting that this is ‘officially approved’ mitigation, this is based solely on my experience and a little common sense.

Caveat 2: This assumes that Article 17(3)(a-e) does not apply.

Req. 1: Run a Risk Assessment (RA), a Business Impact Analysis (BIA), and a Privacy Impact Analysis (PIA) – Put simply, you cannot decide whether or not fix the problem until you have run these three fundamentals. The RA and the PIA would be the first things I would ask for if I was an auditor, and the BIA would be the first thing I would ask if I was on the BoD.

Req. 2: Get your Policies, Standards and Procedures in order – These represent your culture, your operational baselines and your corporate knowledge respectively. Unless you know exactly what to do, what NOT to do, how to do what you do, and what you’re doing it with, you cannot demonstrate appropriate controls. Ever.

Req. 3: Education: Unlike PCI, where trying to educate most organisations is utterly pointless, privacy is everyone’s problem. Your entire organisation must be made aware of their responsibilities for the protection of personal data, as well as trained on how to report suspected loss or manipulation. Education is by far the best and cheapest way to reduce risk.

Req. 4: Map business processes and data stores – You must know how data is handled in order to understand how and what get stored at the end of the processing. Also, if you cannot show that your current processes enable the enforcement of future data subject requests, then you will not be able to justify keeping the old stuff. You must stop the bleeding.

Req. 5: Determine if current data stores match data retention policies – Part of Req. 2 includes compiling a record of all data retention justifications and timelines for all data types (most notably ‘special categories’). Should your processes for data storage not include a robust methodology for removing old data this will not look good.

Req. 6: Document your plan to remove data over the course of a specific time frame – Not much point trying to explain why you can’t delete something if you NEVER plan to do so. Even if the plan is over the course of 7 years, have one, as it will likely be a negotiation at this point.

Req. 7: Obtain Board of Director’s acceptance of residual risk – If this issue has not made it to the BoD level, I would have significant reservations as to just how seriously you are taking it. If you get audited by the supervisory authority it will not be the IT admins they are talking to.

Req. 8: Tell the supervisory authority – Wait! What!? TELL the supervisory authority, are you stupid!! Perhaps, and I’m not saying this is the right approach in every scenario, but the GDPR is not there to put you out of business, and supervisory authorities are not dictators. Everyone is in the same boat here, we’re ALL learning, so take advantage of the confusion.

As things stand right now, you’ve already had over a year to fix this issue, and you have just under another year before you are, quite literally, breaking the law. I understand the difficulty, but after May 25th 2018 you still have to explain why you wasted the previous 2 years. Every requirement above fits very neatly into 1 or several of Article 83’s ‘regards’ given to individual circumstances;  Negligence, actions taken, degree or cooperation, even HOW the infringement became known to the supervisory authority, all have bearing. The more you can pre-empt, the less the negative impact.

Finally, if you fall for ambulance chasers, or are terrified of the impact the GDPR will have on your business, you clearly aren’t doing what you should be doing. Bite the bullet, hire a lawyer, and get moving on this.

[If you liked this article, please share! Want more like it, subscribe!]