Ask a lawyer what ‘appropriate’ or ‘reasonable’ means and they’ll come back with something like; “What would be considered fair by a disinterested third party with sufficient knowledge of the facts.”, or “Fair, proper, or moderate under the circumstances.”
Now translate that into what kind of security measures are considered appropriate? How would you justify that what you are doing is reasonable, fair, or proper under the circumstances?
Because that’s what you’ll have to do if things go wrong under GDPR. You’ll have to justify that the measures you took to protect personal data were underpinned by an appropriate program for measuring and treating risk. If your breach was shown to be anything other than a determined attacker, all you’ll have in your defence will be poor excuses. This is no better than negligence.
When you consider that the General Data Protection Regulation (GDPR) – and every other regulatory compliance for the matter – was written by lawyers, should we not be able to work out what ‘appropriate’ means for a security program? After all, lawyers have no problem defining the word ‘reasonable’, they even apply it to their fees!
The good news is that the process is not only well known, it’s simple; it’s called Risk Management, and it’s been around for decades.
Step 1: Complete your Asset Register;
Step 2: Map your assets to your business processes (which should already be mapped to revenue);
Step 3: Map your business processes to your business goals;
Step 4: Run a Risk Assessment against all business processes and / or key IT systems;
Step 5: Document the business impact of each risk (mapped against both revenue and business goals);
Step 6: Document Senior Leadership’s risk appetite against each business goal;
Step 7: Perform full analysis of security controls, determine if there are any gaps between the current state and the risk appetite;
Step 8: Fill the gaps;
Step 9: Document everything; and
Step 10: Repeat annually, or prior to any major changes.
Now put yourself in the shoes of an auditor after you have been breached. What are they going to ask you for? What could anyone reasonably expect you to have in place if you were taking your duties seriously?
If I was an auditor I’d ask for 5 things up front, as without them I know there is no way you have an appropriate security program in place:
- A mapping of your policies, standard and procedures to whatever security framework you based your security program on;
- Your risk assessment procedure, and the results of the last one conducted;
- Your risk register;
- Your change control procedure; and
- Your incident response procedure.
At this stage I would care nothing for your technology, or how much you spent on it. A technology purchase outside of a properly defined business need is nothing more than smoke and mirrors. Besides, no regulator has ever tried to qualify how much you spent. It’s up to you to show why you spent what you did, and why you didn’t spend more.
The thing to bear in mind here is that the validation of ‘appropriateness’ is not a conversation, it’s documentation. It’s not even evidence of the technologies you have running, it’s showing that the technologies you do have meet the risk you have defined. While from a lawyer’s perspective, appropriate is demonstrated by precedent, in cybersecurity, appropriate is demonstrated by the extent and capability of your security program.
Complying with the cybersecurity elements of the GDPR is simple, every step is written down for you somewhere. There are a few things to bear in mind though:
- GDPR is 95% about how you get the data, and what you then do with it when you have it. Anything you spend on security should be justified against the business goals, not a compliance requirement;
- There is no cyber insurance against loss of reputation, this should not be about the money; and
- Any security vendor offering “GDPR Compliance” is at best telling you 5% of the story, at worst, is lying to you.
While I agree it may be difficult to sort through the good advice and the crap when it come to this stuff, there is no excuse for doing nothing. GDPR and every regulation to come will not change the basics, security will be the same regardless.
The issue is not regulation, it’s that organisations still aren’t asking the right questions.
[If you liked this article, please share! Want more like it, subscribe!]