Data Discovery

Which Data Discovery Solution is Right for Your Business

Anyone who reads my blogs knows that I’m not highly technical. In fact, I have warned organisations against buying technology [for technology’s sake] more than I have ever recommended it. And I will continue to do so until everyone is following the pre-purchase golden rules:

  1. Conduct a Risk Assessment with Business Impact Analysis;
  2. Perform a Gap Analysis comparing your risk to your mitigating controls;
  3. Build a detailed list of the security functions (NOT features) you need to fill the gaps; and
  4. Work out how you’re going to do these things before sending out an RFP:
    • Install it;
    • Integrate it;
    • Manage & Maintain it;
    • Monitor it;
    • Measure its performance against the agreed risk baseline(s)

So why am I talking about choosing a data discovery solution?

GDPR of course.

For the last 15 years the primary driver globally for security budgets has been PCI, but even that didn’t push organisation to invest in a data discovery tool. A little odd, because cardholder data could not be a more perfect use case. It is:

  1. either 15 (Amex) or 16 digits (Visa, MasterCard et al). Mostly anyway;
  2. almost entirely structured; and
  3. easily tuned for false positives (MOD 10, BIN comparisons, context etc.)

But you can achieve PCI compliance without data discovery tools, so why would you spend any more money on a regulation that’s nothing more than a commercial obligation? Especially when you don’t HAVE to. ‘PCI projects’ are seen as just other expense, one usually separated entirely from the other security programs. No benefit to the business means minimal investment, and it’s hard to argue with the logic.

But GDPR is a whole other beastie. This is the law now, and as consumers become better educated, the demands made on a business will only increase. You simply cannot ignore data subject requests, nor can you afford to expend the effort to respond appropriately with mostly ad hoc processes.

So where does this leave you? This leaves you with the requirements to:

  1. discover ALL instances of personal data in your environment;
  2. map all USES of personal data to your business process;
  3. ensure that personal data is ONLY used for purposes legitimised by a lawful basis;
  4. ensure that all ingress and egress flows of personal data are only to/from approved 3rd parties/countries; and
  5. not lose any personal data to bad guys or incompetence.

Yes, you can do a lot of this manually, or with other controls, but operationally a data discovery / business process mapping tool will make your life significantly more efficient.

It also has numerous other benefits…

[Borrowing heavily from Security Done Well, The Ultimate ROI]:

  1. Overall Risk Reduction – if you know what you have, where it is, and who has access to it, you have a much smaller threat profile;
  2. Business Transformation – Data is central to all things. The ability of an organisation to order, compile and retrieve their accurate data the fastest enables them to adjust their processes in the face of customer needs, or competitive threat;
  3. Competitive Advantage – Data in context is information, information in context is knowledge, and knowledge applied correctly is wisdom. In this case, wisdom may be the competitive advantage you need to stay one step ahead;
  4. Financial Control – All finance these days is data in context, and while data discovery / business process mapping will never be able to provide that context, access TO, and the integrity OF the data can provide a much welcome check and balance for the control of an organisation’s financial data assets;
  5. Avoidance of Fines / Loss of Reputation – Self-explanatory. How can you ever claim that your controls are ‘reasonable’ or ‘appropriate’ if you have little to no knowledge of your data life cycles;
  6. Cheaper IT Infrastructure and Maintenance – You only get real efficiency when all processes are simple, and you can only achieve simple if everything you have is appropriately baselined. These baselines are hard to achieve, and can be expensive in the short-term, but the long-term costs are significantly lower than trying to constantly work with too much (technology, data, people etc);
  7. PCI Compliance (if this is an issue for you); and above all
  8. Accountability – Whether it’s to your employees, regulators, investors, or your Board of Directors, you are accountable for what happens with, and to, your data.

But where do you even begin choosing the right tool / service for your organisation?

For that I have written a White Paper that breaks down my thoughts. You can find it here: Which Data Discovery Solution is Right for Your Business.

Your feedback is welcomed.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Year 1

GDPR: Some Thoughts on Year 1

This Saturday marks one year to the day that GDPR was enforced. 3 things are clear:

  1. The self-serving scaremongers were, as I suspected, full of $*%&;
  2. Anyone wondering why there have not been more fines continues to be ignorant of the true intent of GDPR; and
  3. Interest in GDPR took a nosedive after May 25, 2018

Re: Bullet 1.: The GDPR fines to date across the whole of the EU have totalled €56M, a full €50M* of which was levied against a single organisation (against Google by CNIL). So that’s it, €6M in fines for EVERY OTHER organisation in the world. In one year. This is good.

Re: Bullet 2.: Are you really surprised that fines have been so infrequent and relatively light? The UK’s Information Commissioner herself could not have made it more clear that fines would be a last resort. But good news never sells, does it?

If you’re looking for more punishment, you have either completely misunderstood the intent of GDPR, or you have something to gain from it (see bullet 1). It’s supposed to be a law to protect a human right of every man, woman and child, not a punishment.

Re: Bullet 3.; The graphic below perfectly sums up people’s attitude towards GDPR. It represents the number of ‘Sessions’ per month my blog has received since I first started blogging back in 2015:

Blog Sessions
Blog Sessions

Have one guess where May 25th is?

I started writing about GDPR in the middle of 2017 (beginning of the ‘mountain’) and didn’t really slow down until late 2018 (back to normal). I’d like to believe that this enormous drop was indicative of the interest in GDPR rather a reflection on my crap content. I think the coincidence is just too great to be the latter, but you never know.

In other words, May 25th was seen as a deadline. Once it passed most people thought they had dodged a bullet with everything now going back to normal.

To be clear, business under the GDPR IS the new normal. Conducting business will never go back to the way it was, and you will never again be able to process other people’s personal data outside of the 7 Principles laid down in Article 5. If you try, you’re exactly the kind of organisation the GDPR was written to defend people against.  

That said, you can [almost] be forgiven in thinking that GDPR has already had a significant impact; How tired are you of pop-up banners, privacy policies and choosing your cookie settings? Is this not an indication that organisations are taking GDPR seriously?

Actually, no, it isn’t. For a start this ‘cookie stuff’ has far more to do e-Privacy which isn’t even a law [yet], and from everything I’ve seen this ‘Internet-facing’ effort is nothing more than smoke and mirrors. Underlying processes have not changed, nor most organisations ability to demonstrate GDPR compliance effectively. All they have done is dropped themselves below the radar.

But that’s kinda the point; they HAVE done something, while those who continue to do nothing at all are setting themselves for some very hard conversations. We are now at year 20-ish since data protection was included in EU national law(s) (the Data Protection Directive), 3 years since the final draft of the GDPR was signed into EU law, and a year since it became enforced. If you have still done nothing, bad things are heading your way. This is also good.

Some final thoughts:

  • No, I do not think the GDPR is perfect, and yes, I would like to see a lot more guidance on things like ‘Representatives’ and ‘Certifications’, but we were never going to see 28 separate countries agree on the way forward these things so soon. It is still early days;
  • The GDPR was not enacted against business, it was enacted FOR you!
  • My entirely amateur opinions on data protection / privacy have been far more popular than on any subject I actually know something about, which is more than a little depressing.

If there’s one takeaway from this otherwise meaningless blog, it’s that it IS still early days in the enforcement of ‘GDPR compliance’, don’t waste this opportunity by doing nothing at all. The first steps are clear, and you don’t need a data protection expert to begin; GDPR: Getting to the Lawful Basis for Processing

[If you liked this article, please share! Want more like it, subscribe!]

* For perspective, €50M is roughly 0.05% of Google’s global revenue, a 4% fine would be over €4 BILLION.

GDPR - One Year Later

[SELF-PROMOTION]: BrightTalk Summit – GDPR: One Year Later

This is a blatant self-promotion, so feel free to ignore it!

I presented today at the BrightTalk Summit ‘GDPR: One Year Later‘:


In the panic leading up to May 25th 2018, many organisations did one of three things:

  1. Hired a lawyer first;
  2. Hired a data security expert first, or
  3. Absolutely nothing.

All of these approaches are wrong, and regardless of the size/type of your organisation, the first steps were exactly the same; Go find your data.

In this presentation we will simplify the process of achieving GDPR compliance so that anyone can get started.

You can catch it here if you missed it:

GDPR Starts With Your Data, Not With Lawyers


FinTech vs The Status Quo

There is an old wisdom story about a truck that gets stuck under a bridge. The details vary, but the gist is that all conventional [old school] thinking fails to solve the problem, but out-of-the-box thinking [a young girl/boy] gets the job done.

If you’ve not heard this overused (and yes, [pun intended] ‘tired’) analogy, the premise is that:

  1. a truck get stuck under a bridge/overpass;
  2. all the best [old] engineers around cannot solve the problem, and their solutions include:
    • force the truck through, likely damaging both truck and bridge;
    • drag truck back out so it won’t reach destination; and
    • raise the entire bridge.
  3. a child [young/fresh] comes along and says to take air out of the tires, thereby lowering the truck just enough to pass under the bridge.

Call it common sense, call it obvious, but the solution was only clear to someone with a completely fresh pair of eyes and no preconceived notions of the ‘right’ way to do something.

This is where we find ourselves in the world of FinTech. Defined as; “the new technology and innovation that aims to compete with traditional financial methods in the delivery of financial services.”, FinTech as a buzzword has been out for over 25 years, but what has it achieved?

If you see ‘invisible payments‘ and seamless feature-rich ancillary services (loyalty points / rewards for example) as the ultimate goals of FinTech, where are we in 2019?

We have the technology [most of it anyway], we have a growing interest, but what we still DON’T have is the support of those with a vested interest in the status quo.

Hardly surprising, right?

From banks, to payment card brands, to payment terminal manufacturers, and even regulators, it in their best interests to keep things the same. But the brave new world that IS coming has no place for those unprepared / unwilling to change or adapt.

There’s no denying that management and transfer of value (a.k.a. money) in 2019 is both massively complex and monolithic, but that’s really no excuse, not with the billions being invested in innovation. And while I do not want to trivialise the truly enormous effort required to effect the necessary changes, I resent the active obstruction.

On BOTH sides.

Instead of working together, both sides are doing their damnedest to grab the biggest piece of the pie. Like there’s not billions of £/$/€ to go around. Capitalism and sheer greed are ensuring that the best ideas are not being made available to the end consumer. And it’s OUR money their playing with!

The prevalence of the buzzphrase ‘disruptive’ is the perfect indicator that FinTech has little interest in bringing the old school along for the ride, so is it any wonder that the old school wants to ‘defend’ itself? All the old-school have to do is lobby the regulators and FinTechs run out of money before their ideas make the light of day.

It’s us that lose.

I want access to MY money wherever, whenever, and HOW ever I want. I also want as many features as possible around the use of my money as I deem relevant. From loyalty programs, to instant coupons, to money management, to whatever comes next, the old-school has proven its inability to innovate [adequately], which is WHY we have FinTech in the first place.

Clearly I have no solutions in this rather useless blog, but if one person comes over to the light-side (sustaining innovation), I’ll consider this worthwhile.

[If you liked this article, please share! Want more like it, subscribe!]

Selling Security

Selling Cybersecurity: What We Can Learn From The Ice Bucket Challenge

In July/August 2014 the ALS Ice Bucket Challenge changed forever how charities should have organised their fundraising efforts. Replacing the usual guilt-trip approach with something fun/’socially mandatory’ resulted in hundreds of millions being donated to a cause few people had even heard of, let alone cared about.

People gave to ALS not because it was more deserving than other charities, they gave because to NOT do so attracted negative social repercussions most of us could not ignore. This was more than a little hypocritical as I expounded upon here, but this is now the social media-driven world in which we live.

But it WAS also fun! To do and to watch.

That said, I seriously doubt 99 people out of 100 who did the challenge either gave to ALS charities subsequently, or remember now what ‘ALS‘ is even the acronym for. They may have known at the time, but the details are no longer important unless ALS has a direct impact on their lives or the lives of a loved one.

These are not bad people, they are you and me.

The fact is that the number of diseases affecting humans is in the tens of thousands, the number of charities ‘serving’ them in the millions. 99.9% of these charities do the exact same thing, and have done this since time immemorial; show you the effects of the disease on someone else and ask you to care.

Almost all charities are still ‘advertising’ in the same way, when it’s only the ones that truly stand out that get the lion’s share of our money, let alone our volunteer time.

The problem is that we are so inundated with requests to give that we don’t even see/hear them any more. We are immune to the very feelings of guilt/societal obligation/altruism the charities are relying on to get you reaching for your wallet.

But in the end; “The definition of insanity is doing the same thing over and over and expecting different results.

Though far less dramatic and controversial, people trying to sell cybersecurity are doing almost the exact same thing. The original title of this blog was actually “Selling Cybersecurity: Fear is WHY the Board Don’t Care!” as those who should be worrying about security are simply numb to the whole thing. They just don’t care any more, if they ever did in the first place.

Headlines abound with data breaches, fines levied, and CEO’s disgraced. The more of this we see, the less we give a damn. We have already become ‘snow-blind’ to the possible, even likely consequences.

This is our fault. As security professionals it is OUR job to talk to our prospective clients in THEIR language. WE have to understand that our clients probably don’t care about security, and probably never will. WE have to give them an ROI.

As an analogy, do you care about your car insurance? What would a car insurance salesman have to do for you to be anything other than dismissive, or even downright rude?

It’s actually OK that they don’t care. If you said that you cared about all human diseases I’d say you were full of %^$£. But if you want them to actually buy something from you you’d better be able to change the conversation to something of interest. Interest to THEM that is, because of course they care as little about your business as you care about theirs.

Not caring does NOT mean doing business without ethics or integrity, in fact it’s more honest if, and only if BOTH sides benefit.

From PCI, to PSD2, to GDPR, to every regulation that will ever come down the pike, vendors will scramble to find ANY motivator to get organisations to spend money. The only motivator that will ever gain traction is one that’s good for their business. Fear of breach/fines/reputation loss are nothing in the face of how spending money on security affects the bottom line.

So how do we change this conversation?

Frankly I have no idea, and anyone who can get even close the effectiveness of the Ice Bucket Challenge in cybersecurity sales will rule this little slice of the world. But what I’m NOT going to do is waste my time telling clients things they could not care less about and expect them to throw money at me. In fact, I’m going to question why they think they want my services in the first place. Because if it’s not for a reason that make sense to their business the project will fail and it WILL be my fault regardless of any evidence to the contrary.

There will of course never be an Ice Bucket Challenge for cybersecurity as a whole, but there CAN be an equivalent paradigm shift in each organisation you talk to. You’re there because they have to do security, not because they want to, nothing you say about security outside of a business-benefit context will matter to them.

You just have to find what that benefit is.

[If you liked this article, please share! Want more like it, subscribe!]