GDPR - One Year Later

[SELF-PROMOTION]: BrightTalk Summit – GDPR: One Year Later

This is a blatant self-promotion, so feel free to ignore it!

I will be presenting at the BrightTalk Summit titled ‘GDPR: One Year Later‘ this coming Monday, May 20th at 11AM GMT.

Synopsis:

In the panic leading up to May 25th 2018, many organisations did one of three things:

  1. Hired a lawyer first;
  2. Hired a data security expert first, or
  3. Absolutely nothing.

All of these approaches are wrong, and regardless of the size/type of your organisation, the first steps were exactly the same; Go find your data.

In this presentation we will simplify the process of achieving GDPR compliance so that anyone can get started.

Go here to sign up!

GDPR Starts With Your Data, Not With Lawyers

Information Security Policies

Why Information Security Policies are Pointless

The title should be; Why YOUR Information Security Policies (ISP) are Pointless, but I figured this title was far more contentious/click-worthy.

If you’ve come this far, you’re in one of two groups:

  1. You’re horrified at my ignorance and want to rip me a new one (good for you by the way); or
  2. You’re thinking the equivalent of “I knew it!”, in which case you need this more than anyone.

When I say that your ISPs are pointless, it’s because in all likelihood they are. Assuming you even have a policy set (policies, standards and procedures), ~20 years of consulting experience has shown that they invariably:

  1. are not sponsored/supported/signed-off by the highest levels within and organisation – does anyone really care about something their bosses don’t visibly to care about?;
  2. are not managed by a governance function to ensure adherence to business goals / regulatory compliance / corporate responsibility etc – who else is going to do this? The CEO? A CXO by him/herself?;
  3. include no overarching framework policy that 1) spells out a commitment to security, 2) breaks down the responsibilities for everyone from the CEO to the interns, or 3) details the consequences for non-conformance – how well do buildings stand up without foundations?;
  4. are generic templates with zero attempt to fit them to the prevailing culture – sometimes the phrase “That’s not how we do things here!” is perfectly acceptable;
  5. are non-aspirational – it’s actually a good practice to set your policies above your current security capability, IF you have a comprehensive exception/variance process linked to a risk register / risk treatment plan as part of the framework;
  6. are not DIRECTLY linked to robust risk management processes to ensure full policy coverage and continuing suitability to the business – how do you know they’re right?, now and in the event of significant change?;
  7. are not part of an [annual] internal audit process to measure adherence – few companies even have an internal audit function, let alone one capable of assessing IT/IS policies;
  8. are not part of employee on-boarding and ongoing security awareness training programs – every role should have relevant policies assigned to it, and appropriate training should be continuous;
  9. are not maintained appropriately/consistently – you don’t need a librarian to do document management well, you just have to be organised; and
  10. are not distributed or made available to everyone whom they impact – “Policies, what policies?”

Bottom line is that I have never seen a policy set done well, and it’s not a coincidence that I’ve never seen security done well either. These two things go hand-in-hand and you absolutely cannot have one without the other.

Yes a decent policy set is ‘paperwork’, yes it’s bloody difficult and time consuming, and no, it’s not even remotely sexy, but don’t bother trying to get a security program in place without them. Seriously, don’t even bother, because it will fail.

Lego don’t send out a 4,000+ piece Death Star set without detailed build instructions, and that’s exactly what your policies, standards and procedures are; instructions on how to do security appropriately within your organisation.

So why don’t all security folks take this more seriously? Two main reasons; 1) they are so focused on technology that the processes fall to the wayside, and 2) they have tried over and over and finally gave up, electing to do what they can, knowing full well it will never be enough.

Sad, huh?

Security is about People, Process and Technology, in that order, because without a policy set you will have:

  • no understanding of the technology[ies] you will need – risk assessment;
  • no processes to run the technology properly – procedures;
  • no way to sustain the technologies moving forward – vulnerability management;
  • no understanding of what to do with technology output – incident response;
  • no-one who could perform the incident response even if you did – security awareness training.

A decent set of information security policies ties all of this together into a sustainable program, and if you still don’t think they are that important, you are simply not paying attention.

[If you liked this article, please share! Want more like it, subscribe!]

FinTech

FinTech vs The Status Quo

There is an old wisdom story about a truck that gets stuck under a bridge. The details vary, but the gist is that all conventional [old school] thinking fails to solve the problem, but out-of-the-box thinking [a young girl/boy] gets the job done.

If you’ve not heard this overused (and yes, [pun intended] ‘tired’) analogy, the premise is that:

  1. a truck get stuck under a bridge/overpass;
  2. all the best [old] engineers around cannot solve the problem, and their solutions include:
    • force the truck through, likely damaging both truck and bridge;
    • drag truck back out so it won’t reach destination; and
    • raise the entire bridge.
  3. a child [young/fresh] comes along and says to take air out of the tires, thereby lowering the truck just enough to pass under the bridge.

Call it common sense, call it obvious, but the solution was only clear to someone with a completely fresh pair of eyes and no preconceived notions of the ‘right’ way to do something.

This is where we find ourselves in the world of FinTech. Defined as; “the new technology and innovation that aims to compete with traditional financial methods in the delivery of financial services.”, FinTech as a buzzword has been out for over 25 years, but what has it achieved?

If you see ‘invisible payments‘ and seamless feature-rich ancillary services (loyalty points / rewards for example) as the ultimate goals of FinTech, where are we in 2019?

We have the technology [most of it anyway], we have a growing interest, but what we still DON’T have is the support of those with a vested interest in the status quo.

Hardly surprising, right?

From banks, to payment card brands, to payment terminal manufacturers, and even regulators, it in their best interests to keep things the same. But the brave new world that IS coming has no place for those unprepared / unwilling to change or adapt.

There’s no denying that management and transfer of value (a.k.a. money) in 2019 is both massively complex and monolithic, but that’s really no excuse, not with the billions being invested in innovation. And while I do not want to trivialise the truly enormous effort required to effect the necessary changes, I resent the active obstruction.

On BOTH sides.

Instead of working together, both sides are doing their damnedest to grab the biggest piece of the pie. Like there’s not billions of £/$/€ to go around. Capitalism and sheer greed are ensuring that the best ideas are not being made available to the end consumer. And it’s OUR money their playing with!

The prevalence of the buzzphrase ‘disruptive’ is the perfect indicator that FinTech has little interest in bringing the old school along for the ride, so is it any wonder that the old school wants to ‘defend’ itself? All the old-school have to do is lobby the regulators and FinTechs run out of money before their ideas make the light of day.

It’s us that lose.

I want access to MY money wherever, whenever, and HOW ever I want. I also want as many features as possible around the use of my money as I deem relevant. From loyalty programs, to instant coupons, to money management, to whatever comes next, the old-school has proven its inability to innovate [adequately], which is WHY we have FinTech in the first place.

Clearly I have no solutions in this rather useless blog, but if one person comes over to the light-side (sustaining innovation), I’ll consider this worthwhile.

[If you liked this article, please share! Want more like it, subscribe!]

Selling Security

Selling Cybersecurity: What We Can Learn From The Ice Bucket Challenge

In July/August 2014 the ALS Ice Bucket Challenge changed forever how charities should have organised their fundraising efforts. Replacing the usual guilt-trip approach with something fun/’socially mandatory’ resulted in hundreds of millions being donated to a cause few people had even heard of, let alone cared about.

People gave to ALS not because it was more deserving than other charities, they gave because to NOT do so attracted negative social repercussions most of us could not ignore. This was more than a little hypocritical as I expounded upon here, but this is now the social media-driven world in which we live.

But it WAS also fun! To do and to watch.

That said, I seriously doubt 99 people out of 100 who did the challenge either gave to ALS charities subsequently, or remember now what ‘ALS‘ is even the acronym for. They may have known at the time, but the details are no longer important unless ALS has a direct impact on their lives or the lives of a loved one.

These are not bad people, they are you and me.

The fact is that the number of diseases affecting humans is in the tens of thousands, the number of charities ‘serving’ them in the millions. 99.9% of these charities do the exact same thing, and have done this since time immemorial; show you the effects of the disease on someone else and ask you to care.

Almost all charities are still ‘advertising’ in the same way, when it’s only the ones that truly stand out that get the lion’s share of our money, let alone our volunteer time.

The problem is that we are so inundated with requests to give that we don’t even see/hear them any more. We are immune to the very feelings of guilt/societal obligation/altruism the charities are relying on to get you reaching for your wallet.

But in the end; “The definition of insanity is doing the same thing over and over and expecting different results.

Though far less dramatic and controversial, people trying to sell cybersecurity are doing almost the exact same thing. The original title of this blog was actually “Selling Cybersecurity: Fear is WHY the Board Don’t Care!” as those who should be worrying about security are simply numb to the whole thing. They just don’t care any more, if they ever did in the first place.

Headlines abound with data breaches, fines levied, and CEO’s disgraced. The more of this we see, the less we give a damn. We have already become ‘snow-blind’ to the possible, even likely consequences.

This is our fault. As security professionals it is OUR job to talk to our prospective clients in THEIR language. WE have to understand that our clients probably don’t care about security, and probably never will. WE have to give them an ROI.

As an analogy, do you care about your car insurance? What would a car insurance salesman have to do for you to be anything other than dismissive, or even downright rude?

It’s actually OK that they don’t care. If you said that you cared about all human diseases I’d say you were full of %^$£. But if you want them to actually buy something from you you’d better be able to change the conversation to something of interest. Interest to THEM that is, because of course they care as little about your business as you care about theirs.

Not caring does NOT mean doing business without ethics or integrity, in fact it’s more honest if, and only if BOTH sides benefit.

From PCI, to PSD2, to GDPR, to every regulation that will ever come down the pike, vendors will scramble to find ANY motivator to get organisations to spend money. The only motivator that will ever gain traction is one that’s good for their business. Fear of breach/fines/reputation loss are nothing in the face of how spending money on security affects the bottom line.

So how do we change this conversation?

Frankly I have no idea, and anyone who can get even close the effectiveness of the Ice Bucket Challenge in cybersecurity sales will rule this little slice of the world. But what I’m NOT going to do is waste my time telling clients things they could not care less about and expect them to throw money at me. In fact, I’m going to question why they think they want my services in the first place. Because if it’s not for a reason that make sense to their business the project will fail and it WILL be my fault regardless of any evidence to the contrary.

There will of course never be an Ice Bucket Challenge for cybersecurity as a whole, but there CAN be an equivalent paradigm shift in each organisation you talk to. You’re there because they have to do security, not because they want to, nothing you say about security outside of a business-benefit context will matter to them.

You just have to find what that benefit is.

[If you liked this article, please share! Want more like it, subscribe!]

Procrastination

GDPR: Advice for Every Small Business

According to every statistic I’ve read, there is still a huge chunk of business owners who have not even read the GDPR yet, let alone done anything about it. To be clear; no matter the size of your business, you have to comply.

For example, Core Concept Security Ltd. (my company) is very small, but even I have to pay a ‘Data Protection Fee’ and sort out my contracts and privacy notices. What I DON’T have to do is:

  1. Designate a data protection officer (DPO) – Article 37, because I meet none of the criteria in 37(1)(a-c); or
  2. Produce a ‘record of processing’ – Article 30 because my company is under 250 employees and I do not meet any of the 30(5) criteria.

I know all of this because I HAVE read the GDPR, I HAVE sorted out my contracts and privacy notices, and I HAVE paid my data protection fee. There is no excuse I have heard to date for EVERY other small business not to do the same.

Follow these steps, and you’ll have done the most important thing imaginable; something: Continue reading