Ignorance

How to Run a GDPR Project

First: If you think that as a cybersecurity ‘expert’ I know how to run a GDPR project a) you can’t be that familiar with GDPR, and b) you have not read any of my previous blogs.

Second: If you have read my previous blogs and clicked into this blog hoping to get advice on how to run a GDPR project, you weren’t ‘listening’. At most I am a first conversation and a pointer to your next.

Then again, would you be reading this right now if the title was; “GDPR: No Idea What I’m Doing, But Here’s Yet Another Opinion.”?

So like everyone else on this little regulatory bandwagon – with the possible exception of privacy lawyers – all I have are opinions, and what I hope is a little common sense. Here in the UK for example, the GDPR is just an expansion of the Data Protection Act of 1998, which in turn was a consolidation of previous acts, some dating back to 1984. And if that’s not enough, ‘The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data‘ published in 1980 by the Organisation for Economic Co-operation & Development (OECD) contained many of the basic tenets upon which the GDPR is predicated:

  1. Collection Limitation Principle;
  2. Data Quality Principle;
  3. Purpose Specification Principle;
  4. Use Limitation Principle;
  5. Security Safeguards Principle …and so on.

That means privacy lawyers have had 37 years to get good at this stuff and pass it on to all fledgling privacy lawyers. The rest of us may have some knowledge, but this will only ever be enough to overlap with the legal profession. This overlap will then hopefully enable us to translate the lawyer’s legalese into a language relevant to our respective departments. This is actually critical to GDPR implementation as lawyers do NOT have the final say, it will always be a negotiation.

Why is this not enough? Why would any non-lawyer even want the task of applying GDPR’s Recitals and Articles into a business’s specific context? Do you think you’ll make enough money to retire before you’re discovered as an incompetent? I have never seen a clearer case for a team effort.

The GDPR Implementation Team

  1. The Lawyer – For some reason everyone assumes that when I say lawyers should lead the effort, they come back with expressions of horror. “Lawyers can’t project manage!”, “Lawyers can’t operationalise GDPR!” and so on. By lead, I mean setting the goals and objectives. You know, leading, not managing. Only lawyers are truly qualified to provide proper context, so they should make their case first.
    o
  2. The Salesman – Like it or not, GDPR will have an impact on your business. Leave the sales team out and you have ruined any chance you have of making that impact a positive one.
    o
  3. The Marketer – As with the salesman, there is no reason that ‘compliance’ with GDPR can’t have a positive impact on an organisation, even its bottom line. The marketing / PR spin is the face of your efforts.
    o
  4. The People Person – Sounds better than the HR person, but I have never understood why these folks have so little part in projects like this. They are the Keepers of the Culture, use them.
    o
  5. The Technologist – While there is very little directly related to technology in the GDPR, it’s clear that technology has a huge role to play in its implementation. There is not compliance without the IT team.
    o
  6. The Project Manager – This one needs no explanation
    o
  7. The Cyber-Peep – Where there is data and technology, there is a need for security wrappers, but this role is no more critical than the others. That’s like saying the wheels are the most important part of a car.

And yes, if there are other departments they should be included too. Privacy cannot be siloed.

What’s missing is something to bring it all together. If only there was an organisational function that took the input from all of these departments and stakeholders and formulated a plan to accomplish the business’s goals! Wait, sounds a lot like Governance, doesn’t it?

It’s already far too late to be proactive, but you have until the 25th of May, 2018 to appear to be proactive. Get your team together and don’t waste this opportunity.

[If you liked this article, please share! Want more like it, subscribe!]

Can Governance Replace the CISO?

Perform research on IT Governance models and you’ll eventually come across the concept of People, Process, & Technology (The Golden Triangle). Yet another concept whose origination has been lost in time (it was not Bruce Schneirer), but one whose evolution has polarised the security industry.

On the one side you have the technology-first advocates. Even a security icon like Bruce Schneier says; “We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.“. Oddly enough you’ll find most of the security product vendors in this camp too. I know, weird huh?

Then you have the side that I’m on, that says all the technology in the world can’t fix stupid. The enormous benefits that can be derived from technology are only achievable if the people put the processes in place to make the technologies effective.

In cybersecurity, technology can only enhance, it cannot fix.

Yes, of course technology is critical, why do you think I rage against PCI’s ‘daily review’ of logfiles so much? No, I do not believe that an organisation can ever achieve good security without the automation that only technology can bring, but putting technology first is the definitive cart before the horse.

In cybersecurity, technology can only enhance something that already works, it cannot replace it entirely.

So, to me, the job of the CISO is to get the three aspect of the golden triangle into line with the only things that matters; the business goals. In the digital age, technology is the ultimate enabler, and the CSO/CISOs the ultimate facilitators of that technology. The IT security function gets involved in everything from M&A to compliance, from incident response to internal audit, it’s the CISO’s role to bring it all together into a sustainable program. One that that is only ever appropriate to the business’s needs and no more.

But none of this is possible without Governance. The CISO, as a facilitator, is only a bridge between the business goals and the means to get there. It’s the Governance function that gets the job done.

Also, not every organisation can afford a CISO, and frankly nor should they even contemplate one if there is no discernible return on investment. This is where the Virtual CISO can come into play, and from my perspective, the only reason to consider one. It’s the v-CISO’s job to train the governance committee (or whatever it’s called) to do what CISOs do.

Too many organisations are instantly turned off by the word ‘Governance’. At best it’s seen as unnecessary bureaucracy, at worst it’s perceived as some kind of dystopian ‘Big Brother’. Nothing could be further from the truth; it’s not a department, it’s not an institution, it’s a function, one designed to help keep a business IN business.

EVERY organisation needs governance, regardless of size, region, or industry sector. The governance charter, membership, responsibilities, and operation will vary considerably, but all need to be appropriate, and of measurable benefit.

Only someone with the skill-set of a true CISO can put this in place in such a way as to be sustainable without them. But only a Governance function can keep it going.

[If you liked this article, please share! Want more like it, subscribe!]

 

There’s No Regulatory Compliance Without Governance

I don’t think anyone can doubt that the regulatory landscape relative to data privacy has tightened significantly over the last few years. I also think few will doubt that this tightening will continue, given the enormous growth in things like big data analytics, artificial intelligence, alternative payment methods, mobile, and of course, the Internet of Things.

Most businesses have given considerable thought on how to take advantage of these things, and may even have existing projects in place to exploit them, but without a program of IT Security Governance in place to provide the right input, at the right time, these projects could rapidly become a regulatory and financial albatross.

But what do I mean by Governance? According to Wikipedia, Governance;”…relates to the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions.

According to ISCA – The Governance Institute, it is; “…the way that an organisation is directed and controlled. It is the toolkit for the processes and the oversight which drives the highest standards of leadership, accountability and behaviour. Strong governance helps boards and organisations to achieve their goals by acting appropriately and fairly.”

I could find 100 different descriptions, and none of them would be wrong, or even inappropriate to my message, but it’s a lack of understanding of what true Governance is that causes so many organisations to ignore it altogether. Without Governance, you don’t have any form of compliance, internal or external, let alone real security. End of story. It is one of The 4 Foundations of Security, and arguably the most important.

I like to simplify, so to me Governance is; “The business side and the IT side having appropriate conversations.” That’s it. The business side will ALWAYS own and control an organisation’s goals, and rightfully so, the ONLY role of IT is to support and enable the achievement of those goals. Nothing more.

That said, exclude IT and IT Security from ANY aspect of the strategy and planning processes and you’re in for a world of hurt. Security is never more expensive or ineffectual than when it’s retrofitted on a broken process. IT is NOT there to say no, they are there to say, OK, but do it this way from the beginning. IT Security are no different, and there is not one regulation on the planet that cannot be met if the proper planning is performed at the beginning.

As an extension to this, without Governance, Legal and IT and IT Security department can and do get in the way. It’s their JOB to protect the organisation! Too often Sales goes crying up to the CEO that someone is in the way of them doing business and an edict comes from on high that completely circumvents the checks and balances that are there for a very good reason.

Governance controls this process and ensures that the needs of all sides, and therefore the entire business, are met with the minimum of delay or inefficiency. It is represented by Legal, IT, IT Security, HR, Sales, Marketing, you name it, everyone must have their say. There is simply nothing more important to a business’s health and future than a well run cross-functional unit that has executive management support.

As an example, think about how important big data analytics has become to some organisations whose very existence is driven by transforming data into information. Harmless content can become PII, AI can create profiles that would attract significant penalties without the collection of appropriate consent. With input from Legal, IT Security, an Data Analytics, a comprehensive strategy can be put in place to develop a product that meets regulatory needs. Then Marketing and Sales can do their thing and everyone wins.

Governance is both the way and means to get these teams in the same room and talking about the same goal, no other function in the organisation has this much influence.

And it’s all so simple.

PCI – Going Beyond the Standard: Part 23, Governance

Over the course of the last year the word ‘Governance’ appears in no fewer than 26 of my 130-odd posts, and if you have read any of those posts you know how many times it appears in the PCI DSS v3.0.

Not once

Going beyond the standard therefore is clearly very simple. HAVE governance and you’re way ahead of the game.

It does however get mentioned in the ‘Information Supplement: Best Practices for Maintaining PCI DSS Compliance‘ released August 2014, when they refer to an “overarching security framework”. You’ve all read that right?

They of course mention the usual suspects; CoBIT, ITIL, ISO 2700 series, and NIST, but quite rightly leave the choice and detail up to you, as well as make the most sensible statement I’ve seen yet coming out from the SSC officially;

Integrating PCI DSS controls into a larger, common set of security controls is often the easiest path to ongoing PCI DSS compliance. Overarching security frameworks allow security teams to focus on a single target rather than trying to accommodate multiple (and sometimes conflicting) sets of requirements. It also provides for a common set of terms and metrics that can help avoid confusion when articulating security and compliance strategies to key stakeholders. When PCI DSS is integrated into an organization’s overall risk-based security strategy, it makes it easier to incorporate specific PCI DSS activities into the normal day-to-day operations of the security team. This, in turn, helps to ensure these activities are conducted on a regular, ongoing basis, which can make maintaining PCI DSS compliance a much more manageable task.

But who manages this? There are no governance frameworks that will work without a governance FUNCTION.

The IT Governance Institute’s definition is: “… leadership, organizational structures and processes to ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

Or to put it my way: “The business side and the IT side having appropriate conversations.” Sounds trite, but this is exactly what is missing in most organisations where the business side dictates the immediate goals while the IT side is left working tactically without any concept of where their actions fit into the whole; i.e. the business’s goals.

But it’s not always the business side’s fault, the IT departments in a lot of organisations start with saying no and work their way up from there. This gives them the reputation of being business-blockers and everyone in their right mind will work around those if they want anything done.

Regardless of fault – there is no room for the blame-game in security – this is easily resolved if both sides place nice and set up some form of governance function. Call it what you will, but it is responsible for the following;

  1. Business Continuity Management / Plan – As representatives of [almost] all departments, the governance function will be responsible for the development and maintenance of the business continuity processes, which will be owned and ratified by the CEO / BoD.
    o
  2. Risk Assessment / Business Impact Analysis – it is up to the governance function to ensure that the frequency, scope, and analysis of the RA / BIA processes are in-line with the business goals as handed down by the CEO / BoD
    o
  3. Vulnerability Management / Risk Register – Unless the function of analysing risk and putting some form of prioritised remediation plan in place is centralised, you can never implement appropriate security.
    o
  4. Change Control – Number 4 on my list, but EXTREMELY important! As I’ve said many times; If nothing in your environment changes, the only way risk can increase is by a change to the external threat landscape. Your vulnerability management process should take care of the external stuff, which, by strange coincidence, is also managed by governance.
    o
  5. Vendor Due Diligence / Technology Purchases – Tack-on requirement, but my OCD doesn’t allow for only 4 bullets. That said, both of these item have critical security implications and should have governance oversight.

The composition of the governance function, their charter, and their ongoing processes cannot be dictated by any framework or standard, and must be entirely suited to the organisation in question. Industry sector, political / geographical region, culture and so on all have influence on the final result, so this is not something I can address in a blog.

As usual, I will end this with an ‘if you don’t have the skill-set in-house, go find it’ comment, but when it comes to the development and maintenance of a good security program, nothing has more overarching influence and benefit than governance done well.

‘Simple and appropriate’ is the mantra here, like it is in all things related to information security.

How Information Security & Governance Enable Innovation

Over the last 6 months since leaving a 12+ year career at one company, my thoughts come consistently back to one concept; innovation. Making positive change in terms of process and efficiency has always been a passion of mine. Nothing is perfect, and anyone using the phrase; “We’ve always done it that way!” should be fired immediately for gross misconduct.

In much the same way that to someone with a hammer every problem looks like a nail, my natural inclination as a security ‘expert’ is to assign the lion’s share of importance to my area of expertise. While I most likely go too far in this, I think that I have at least some justification for my assertions, if only in the context of this blog.

Innovation is defined as; The act of introducing something new. This is therefore one of the most critical concepts for the human race since it first achieved sentience (couldn’t use the word ‘intelligence’, I think that’s still pending). Whether you believe that was millions of years ago, 6,000-ish year ago, or it was a present from aliens, the speed with which we evolved from hunter-gatherers into what we are now is astonishing (couldn’t use the word ‘civilised’ either, and for the same reason). In just the last 100 years or so we’ve gone from the first flight to the moon, and from computers the size of a room, to mobile devices with more computing power and capacity per unit than existed on the planet just 60 years ago.

All of this was done with one thing as the foundation; information. Yes, that information must be correctly applied to become knowledge – and hopefully in time, wisdom – but everything that has ever been invented, and WILL ever be invented, has information at it’s core. Invention starts with a need, and it does not matter what that need is, someone will feel the urge to fill it. Only a few people create things of no use (we’ll leave Apple and Modern Art out of this), they do it to make money, make a difference, or better the human condition.

The need, in and of itself, is a sort of information; how to take an idea and make something out of it is information; how to build / market / sell / distribute / improve the idea is information; and yes, how to USE the results of the idea is also information.

So why isn’t information better protected?

Why isn’t information seen at the definitive crown jewels in EVERY organisation, especially now that almost every aspect of business is digital, and online? Why don’t CEOs include those in CHARGE of protecting information in the process of business transformation and innovation?

Can’t answer those questions, I’m not smart enough, but seeing as I’m a security expert the why is irrelevant, it’s my job to ‘just get it done’. But that’s the challenge, unless the people ultimately responsible for innovation within a business understand and care about this concept, no-one else is going to care (yes, I’m blaming the CEO …again).

There is an ages old concept in information security; that of Confidentiality, Integrity, and Availability. Some say it’s obsolete and needs refreshing, others try to change the names or add a 4th so that they can be seen to be radical thinkers, but the concept is every bit as valid as it’s ever been:

Confidentiality: If everyone has the information you have, you’re probably not innovating, you’re doing what everyone else is doing. Maybe you’re doing it slightly better than everyone else, but you aren’t going to stay in the lead for long.

Integrity: Not much point innovating if you’re doing it for the wrong reasons, in the wrong place, at the wrong time, or badly. If your information is not accurate and relevant it’s just data.

Availability: You can have all the information in the world, but if you can’t get to it WHEN you need to get to it, it as much use as a politician.

The whole point of IT Security is to take care of confidentiality and integrity, IT Operations takes care of the availability, but it’s the combination of IT Operations,  IT Security and the BUSINESS side to put information into context for ongoing innovation.  That’s what the Governance committee is supposed to be doing; take a business need, help gather the necessary information to devise a solution, measure the business risk, and either move forward with the solution, or move on to the next.

Big data, data mining, predictive analytics and even the much mis-understood ratings and reviews fields would not be experiencing exponential growth if information was not seen as crucial to maintaining competitive advantage. That’s probably why it’s almost incomprehensible to me that organisations don’t take information security more seriously.

Almost.