5 years ago, when I was still smarting from being laid off [fired, cough], I found myself back in the job market looking for …something.
After 12+ years in the same organisation, I had worked my way up from ‘Firewall Administrator’ to ‘Director or Delivery’ for EMEA and APAC. Through poor planning and various character flaws I was at a complete loss where to start looking for an equivalent position. My safety-net was non-existent as making connections has never been what I would call a strong suit.
So I did what everyone else does; I called some recruiters. And I got what a lot of other people got by doing so; nowhere and frustrated.
But as much as I have criticised recruiters; Cybersecurity Recruiters, The Gauntlet Is Thrown!, they are doing an almost impossible job. I have even tried to help; How to be a GREAT Cybersecurity Recruiter, but this still leaves them addressing only the symptoms. The root cause of all our woes is, of course, the hiring organisations themselves.
Like every other independent security consultant out there, I have to ask; “Cybersecurity skills gap? What the Hell are you talking about?”
I’m not even going to quote the plethora of doomsday statistics, but suffice to say the majority of organisations and Governments believe the cybersecurity skills gap is actually a real thing and getting worse. They have no idea that the experts to solve most security issues are out there with dumbfounded expressions thinking; “I’m sitting RIGHT here?!”
How can there be a shortage when I, a cybersecurity professional available for hire, am not overwhelmed with requests for help? How is it that EVERY cybersecurity consulting company in the world isn’t experiencing exponential growth? Why do I see cybersecurity practitioners all but begging for jobs on LinkedIn almost every day?
It can only be because those looking for help are simply looking in the wrong place, and here’s an example;
I was actually chuckling to myself as I wrote that title because I know you were thinking [the equivalent of] one of the following as you clicked on the link:
- If you have not read the GDPR: “That would be awesome!”
- If you have read the GDPR: “Don’t be so bloody stupid.”
No, of course ISO 27001 certification won’t give you immunity from GDPR fines, even those related to data security breaches, which is the only thing 27001 actually covers. Data security (as opposed to data processing) is a single Article out of 99, and the fines related to data loss aren’t even the big ones (2%, not 4%).
That said, I believe there is a much greater chance of you being fined for lack of security than for any illegalities in your personal data processing.
It’s a matter of exposure.
I have lost count of the number of times I have included phrases like; “You have to ask the right questions.” into my blogs, or into conversations with prospective clients. One of my primary roles as a consultant is to to either help my clients do just that, or to give them the right answers first if they are just too far behind the curve.
This is very easy in security, the ‘basics’ have not changed for generations, nor will they ever. So, for example, the question is never; “What technology do I need?”, it’s; “What function does the risk assessment say I need?”
But when it comes to GDPR, asking the right questions involves a significant amount of research and homework. Not only do you actually have to read the damned thing several times yourself, you have to understand it enough to apply it to your unique requirements. You have to be able to take the next step or nothing will happen.
The title should actually be more in question form; Did you know that there’s even a difference between being erased and being forgotten?
Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already calling it that. But it’s just not accurate …enough.
The right to be forgotten is intended to allow an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” For example; you may have been guilty of a minor criminal offence 30 years ago, which in the UK would likely make that offence “spent” (i.e. it should not be considered in any decisions against you related to insurance, employment, loans and so forth). However, if this criminal record has been posted online then duplicated in numerous forms all over the place, it will never go away. In other words, you’ve paid your ‘debt to society’ but it will haunt you for the rest of your days.