What Will Brexit Mean for Cybersecurity?

No idea.

But let’s be honest, everyone will be making wild speculations at this point, just as ‘experts’ in every other field will be. The only thing for certain, is that the UNcertainty will be used by security vendors to try to scare UK companies into buying something.

This one is unrelated, but is actually very good and you should read it first; Brexit: The Implications for the Insurance Industry.

Two of the pending EU laws in the pipeline that will be most cited are the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR). While both of these do not relate to information security per se, security is an enormously important component of each, and penalties will be commensurate with the egregiousness of the data misuse/loss.

The UK would have had to make these law within the next 2 -3 years, but now what? If we’re not IN the EU, do we have to follow the EU rules? Can’t we just do our own thing, like the US?

Well yes, we could, all we’d have to do is adopt something like Safe Harbor and all EU countries would be more than happy to do business with us. Right?

I don’t think so somehow.

Clearly the UK would never put itself in that position [praying silently], and seeing as both PSD2 and GDPR are fully supported by the UK, I would very much doubt any UK-only law would be markedly different. But ANY difference will still complicate things for UK businesses. It will likely require UK organisations to be far more pro-active in the demonstration of their compliance than would otherwise be necessary.

And if there’s one thing that no organisation I have ever come across is good at, it’s the demonstration of good security practices.

Not one.

Luckily for us, there is absolutely nothing in ANY regulation of which I am aware that requires anything more than ‘appropriate’ controls. From the GDPR for example; “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

This is the greatest thing about my chosen career; Information security cares nothing for law, regulation, compliance, geography, or politics, it’s about a piece of data, on a computer, that someone wants to steal. Everything else is just reporting.

However, getting to the point where the demonstration of compliance is business as usual, is extremely difficult. Not complicated, just difficult. It’s actually very simple, all you have to do is get the CEO/BoD to care about it and it will happen. Easy, right?

UK organisations had 2 years from May 25th to demonstrate compliance with the GDPR, now [potentially] they have to demonstrate their equivalent compliance to every EU business with whom they want to transact. And you thought answering RFPs was bad now!

Nothing will change anytime soon, but in the meantime, just do what you know you should have doing all along, but start now.

Don’t know how, ask.

Privacy Shield (ex. Safe Harbor), Here Come the Vultures!

You can almost feel it happening, can’t you? Every time there is an introduction of, or a change to some regulation or another, the vultures of the legal, security consulting, and even security product vendors spin up their marketing machines to invent new promises on how they will ‘guide you through the pending minefield’.

The thing is, I in no way blame them. I’ve likened selling security to selling insurance, in that no-one WANTS to buy something that seems to have absolutely no tangible benefit to the bottom line (it does though; How Information Security Enables Transformational Change). This results in a vast majority of organisations taking extreme liberties with the terms ‘reasonable’ and ‘appropriate’, which is as specific as most regulations go in terms of meeting their requirements.

Unfortunately, regulations are written by lawyers, who have a language all of their own. How is an IT Director supposed to translate legal-ese into geek-speak without some help? That’s where a PROPERLY run security program comes in; the translation become almost unnecessary.

I have made statements like this many times; “If an organisation was doing security properly, they would already be [enter regulation name here] compliant.

Bold statement, but think about it this way:

  1. ALL information security and most compliance regimes relate [at least in part] to the protection of data
  2. The principles of information security have not, and will not ever change
  3. NOT doing these basics is the fault of the organisations, not the regulators (except PCI)

The only thing that’s different from one compliance regime to the next is how you report what you’re doing. PCI requires a very detailed (though mostly meaningless) controls-based Report on Compliance, SoX and HIPAA require something else, and the old Safe Harbor just required a SELF-assessment (and you wonder why it failed…).

Regardless, the underlying validation evidence is the same; policies, procedures, standards, operational integrity, incident response and so on. You are either doing these things or you’re not. And let’s be clear, you should be.

“But they’re moving the goal posts!” is a complaint I frequently hear, and is usually the foundation of an excuse to do nothing. Just because YOU don’t know where the goal posts are doesn’t mean they’ve moved. All that really happened is that every time a regulation comes out and they ask for more and more detail / accountability / transparency etc, it further exposes the fact that you weren’t doing things properly in the first place.

The General Data Protection Directive (GDPR) for example is freaking organisations out with its potentially enormous penalties. Penalties for what? Not using data for its original intent? Not obtaining explicit customer consent? Not LOSING the data in a breach? How is ANY of that unreasonable!?

OK, so the above is a gross simplification of the GDPR, but it’s not far off, and frankly, Privacy Shield will be even easier. If your organisation is not in a position to meet the intent of these data privacy regulations, then you are part of the reason they exist in the first place. And if your security program is in such a state that the vultures have easy picking over the carcass of your IT budget, that’s your fault too.

Non-compliance with any regulatory requirement relevant to data protection is just a symptom of the same underlying problem; a crap security program. Fix that, worry about the reporting afterwards.