5 years ago, when I was still smarting from being laid off [fired, cough], I found myself back in the job market looking for …something.
After 12+ years in the same organisation, I had worked my way up from ‘Firewall Administrator’ to ‘Director or Delivery’ for EMEA and APAC. Through poor planning and various character flaws I was at a complete loss where to start looking for an equivalent position. My safety-net was non-existent as making connections has never been what I would call a strong suit.
So I did what everyone else does; I called some recruiters. And I got what a lot of other people got by doing so; nowhere and frustrated.
But as much as I have criticised recruiters; Cybersecurity Recruiters, The Gauntlet Is Thrown!, they are doing an almost impossible job. I have even tried to help; How to be a GREAT Cybersecurity Recruiter, but this still leaves them addressing only the symptoms. The root cause of all our woes is, of course, the hiring organisations themselves.
Like every other independent security consultant out there, I have to ask; “Cybersecurity skills gap? What the Hell are you talking about?”
I’m not even going to quote the plethora of doomsday statistics, but suffice to say the majority of organisations and Governments believe the cybersecurity skills gap is actually a real thing and getting worse. They have no idea that the experts to solve most security issues are out there with dumbfounded expressions thinking; “I’m sitting RIGHT here?!”
How can there be a shortage when I, a cybersecurity professional available for hire, am not overwhelmed with requests for help? How is it that EVERY cybersecurity consulting company in the world isn’t experiencing exponential growth? Why do I see cybersecurity practitioners all but begging for jobs on LinkedIn almost every day?
It can only be because those looking for help are simply looking in the wrong place, and here’s an example;
I was actually chuckling to myself as I wrote that title because I know you were thinking [the equivalent of] one of the following as you clicked on the link:
- If you have not read the GDPR: “That would be awesome!”
- If you have read the GDPR: “Don’t be so bloody stupid.”
No, of course ISO 27001 certification won’t give you immunity from GDPR fines, even those related to data security breaches, which is the only thing 27001 actually covers. Data security (as opposed to data processing) is a single Article out of 99, and the fines related to data loss aren’t even the big ones (2%, not 4%).
That said, I believe there is a much greater chance of you being fined for lack of security than for any illegalities in your personal data processing.
It’s a matter of exposure.
I finally figured out why this blog was so damned difficult [for me] to write; I’ve been thinking all wrong about what exactly a DPO actually is. Which is odd, because I had the exact same challenge when writing about CSO/CISOs, and I really should have learned from my mistake.
When you think about a CISO (assume this also means CSO), or a DPO, you instantly picture a person. Maybe your organisation already has one so their face springs to mind, or if not, you have a indistinct and faceless image of someone in a suit. The fact is, neither the CISO nor the DPO are people, they are functions. Multiple functions in fact.
And not only that, they involve multiple disciplines, skill-sets, even personal preferences. Most importantly, neither the CISO nor the DPO functions [performed correctly] are ever a single person. A DPO would, quite literally, have to be an expert in privacy law (both EU and national), contracts, risk management, policy development, distribution and audit, and understand all personal data flows throughout the business.
You therefore need to break the function down before you can move forward. For example; I broke the CISO function down into 3 distinct skill-sets/phases: Continue reading
My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.
As for Data Protection, it’s not, in and of itself Privacy, and so on…
But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…
For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’: Continue reading