Why the BA Fine Was So High, and What YOU Can Do To Avoid the Same

I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.

The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.

Continue reading

[SELF-PROMOTION] New Core Concept Security Website

After 6 years of faffing around, my Core Concept Security website is finally up and running! Click (https://coreconceptsecurity.com).

Core Concept Security

It’s very basic, so I should be grateful for your comments / suggestions on improvement.

Many thanks,

David

You Want an Honest CV / Resume? Here’s Mine!

I have written several blogs on the poor state of cybersecurity recruiting, all with the hope that they may trigger at least some positive change. Even if that change is only in the very few people who are actually reading this crap.

When I say “poor state”, I of course mean fundamentally, systemically, and damned near fatally broken. It just does not work, not for the employers, not for the candidates, not for the recruiters, and not for the industry as a whole. As much as I have criticised/blamed recruiters, it’s really not their fault as much as we might think.

Recruiters, like any other salesperson, are rarely [if ever] subject matter experts in their chosen industry sector (i.e. they cannot DO the jobs they are trying to fill). The real experts, the ones who can actually do the work, are in turn rarely [if ever] capable of doing what the ‘salesperson’ does (i.e. they have no idea how to sell themselves).

Continue reading

How Valid Can the IAPP’s Certifications Be?

I have made no secret of my distain for the ‘GDPR Practitioner Certification‘ badge, and I still have no time for it, or its recipients who pass it off as real-world experience. But what alternatives are there if you want to obtain some form of data protection certification / privacy education?

The de facto standard, and really the only player in town, is the International Association of Privacy Professionals (IAPP), and their flagship badge, the Certified Information Privacy Professional (CIPP), is the most widely recognised and respected acronym you can add to your CV/resume. It’s the equivalent of the CISSP for those of us in the cybersecurity industry.

Continue reading

If Your Policies Aren’t Aspirational, Why Bother Having Any?

It is with some surprise (and frankly, confusion) that I now realise not all security professionals think information security policies (ISPs) should [must!] be aspirational in nature.

By ‘aspirational’, I mean that at least some aspects of your ISPs require a greater degree of control / implementation / assurance etc. than you are currently capable of achieving in reality.

The ‘accurate policy’ proponents feel that if the policies do not reflect exactly what you are doing, then what you are doing is in violation of your own policies, thereby effectively rendering those policies useless. I assume, by extension, that they consider compliance with any regulatory regime is also nullified.

Continue reading