GDPR - One Year Later

[SELF-PROMOTION]: BrightTalk Summit – GDPR: One Year Later

This is a blatant self-promotion, so feel free to ignore it!

I will be presenting at the BrightTalk Summit titled ‘GDPR: One Year Later‘ this coming Monday, May 20th at 11AM GMT.

Synopsis:

In the panic leading up to May 25th 2018, many organisations did one of three things:

  1. Hired a lawyer first;
  2. Hired a data security expert first, or
  3. Absolutely nothing.

All of these approaches are wrong, and regardless of the size/type of your organisation, the first steps were exactly the same; Go find your data.

In this presentation we will simplify the process of achieving GDPR compliance so that anyone can get started.

Go here to sign up!

GDPR Starts With Your Data, Not With Lawyers

Information Security Policies

Why Information Security Policies are Pointless

The title should be; Why YOUR Information Security Policies (ISP) are Pointless, but I figured this title was far more contentious/click-worthy.

If you’ve come this far, you’re in one of two groups:

  1. You’re horrified at my ignorance and want to rip me a new one (good for you by the way); or
  2. You’re thinking the equivalent of “I knew it!”, in which case you need this more than anyone.

When I say that your ISPs are pointless, it’s because in all likelihood they are. Assuming you even have a policy set (policies, standards and procedures), ~20 years of consulting experience has shown that they invariably:

  1. are not sponsored/supported/signed-off by the highest levels within and organisation – does anyone really care about something their bosses don’t visibly to care about?;
  2. are not managed by a governance function to ensure adherence to business goals / regulatory compliance / corporate responsibility etc – who else is going to do this? The CEO? A CXO by him/herself?;
  3. include no overarching framework policy that 1) spells out a commitment to security, 2) breaks down the responsibilities for everyone from the CEO to the interns, or 3) details the consequences for non-conformance – how well do buildings stand up without foundations?;
  4. are generic templates with zero attempt to fit them to the prevailing culture – sometimes the phrase “That’s not how we do things here!” is perfectly acceptable;
  5. are non-aspirational – it’s actually a good practice to set your policies above your current security capability, IF you have a comprehensive exception/variance process linked to a risk register / risk treatment plan as part of the framework;
  6. are not DIRECTLY linked to robust risk management processes to ensure full policy coverage and continuing suitability to the business – how do you know they’re right?, now and in the event of significant change?;
  7. are not part of an [annual] internal audit process to measure adherence – few companies even have an internal audit function, let alone one capable of assessing IT/IS policies;
  8. are not part of employee on-boarding and ongoing security awareness training programs – every role should have relevant policies assigned to it, and appropriate training should be continuous;
  9. are not maintained appropriately/consistently – you don’t need a librarian to do document management well, you just have to be organised; and
  10. are not distributed or made available to everyone whom they impact – “Policies, what policies?”

Bottom line is that I have never seen a policy set done well, and it’s not a coincidence that I’ve never seen security done well either. These two things go hand-in-hand and you absolutely cannot have one without the other.

Yes a decent policy set is ‘paperwork’, yes it’s bloody difficult and time consuming, and no, it’s not even remotely sexy, but don’t bother trying to get a security program in place without them. Seriously, don’t even bother, because it will fail.

Lego don’t send out a 4,000+ piece Death Star set without detailed build instructions, and that’s exactly what your policies, standards and procedures are; instructions on how to do security appropriately within your organisation.

So why don’t all security folks take this more seriously? Two main reasons; 1) they are so focused on technology that the processes fall to the wayside, and 2) they have tried over and over and finally gave up, electing to do what they can, knowing full well it will never be enough.

Sad, huh?

Security is about People, Process and Technology, in that order, because without a policy set you will have:

  • no understanding of the technology[ies] you will need – risk assessment;
  • no processes to run the technology properly – procedures;
  • no way to sustain the technologies moving forward – vulnerability management;
  • no understanding of what to do with technology output – incident response;
  • no-one who could perform the incident response even if you did – security awareness training.

A decent set of information security policies ties all of this together into a sustainable program, and if you still don’t think they are that important, you are simply not paying attention.

[If you liked this article, please share! Want more like it, subscribe!]

You’re Not Hiring People, You’re Trying to Solve a Problem

5 years ago, when I was still smarting from being laid off [fired, cough], I found myself back in the job market looking for …something.

After 12+ years in the same organisation, I had worked my way up from ‘Firewall Administrator’ to ‘Director or Delivery’ for EMEA and APAC. Through poor planning and various character flaws I was at a complete loss where to start looking for an equivalent position. My safety-net was non-existent as making connections has never been what I would call a strong suit.

So I did what everyone else does; I called some recruiters. And I got what a lot of other people got by doing so; nowhere and frustrated.

But as much as I have criticised recruiters; Cybersecurity Recruiters, The Gauntlet Is Thrown!, they are doing an almost impossible job. I have even tried to help; How to be a GREAT Cybersecurity Recruiter, but this still leaves them addressing only the symptoms. The root cause of all our woes is, of course, the hiring organisations themselves.

Continue reading

Skills Gap

Cybersecurity Skills Gap? You’re Clearly Looking in the Wrong Place

Like every other independent security consultant out there, I have to ask; “Cybersecurity skills gap? What the Hell are you talking about?”

I’m not even going to quote the plethora of doomsday statistics, but suffice to say the majority of organisations and Governments believe the cybersecurity skills gap is actually a real thing and getting worse. They have no idea that the experts to solve most security issues are out there with dumbfounded expressions thinking; “I’m sitting RIGHT here?!”

How can there be a shortage when I, a cybersecurity professional available for hire, am not overwhelmed with requests for help? How is it that EVERY cybersecurity consulting company in the world isn’t experiencing exponential growth? Why do I see cybersecurity practitioners all but begging for jobs on LinkedIn almost every day?

It can only be because those looking for help are simply looking in the wrong place, and here’s an example;

Continue reading

GDPR Fines

Does ISO 27001 Certification Give You Immunity From GDPR Fines?

I was actually chuckling to myself as I wrote that title because I know you were thinking [the equivalent of] one of the following as you clicked on the link:
  • If you have not read the GDPR: “That would be awesome!”
  • If you have read the GDPR: “Don’t be so bloody stupid.”
No, of course ISO 27001 certification won’t give you immunity from GDPR fines, even those related to data security breaches, which is the only thing 27001 actually covers. Data security (as opposed to data processing) is a single Article out of 99, and the fines related to data loss aren’t even the big ones (2%, not 4%). That said, I believe there is a much greater chance of you being fined for lack of security than for any illegalities in your personal data processing. It’s a matter of exposure. Continue reading