On the Convergence of Data Privacy and Data Security – Part 1

If you’re fairly new to this ‘privacy stuff’, you might be wondering why I used the phrase ‘data privacy’, not ‘data protection’. Well, unlike the security industry where we can’t even agree on when to use ‘cybersecurity’, ‘data security’, or ‘information security’, the privacy world has its act together. Hell, security folk can’t even agree on the spelling OF cybersecurity/cyber security!

But for the purposes of this blog, and the Part 2 guest blog to follow, it’s important that you accept my definitions at least, whether you agree with the names or not. It’s the points I’m trying to make that matter, not the nomenclature.

Continue reading

Cybersecurity Vendors: Masters of Distracting Innovation

I’ve heard that the best writers draw inspiration from the people around them. Clearly this works for crap writers too, because I totally stole the phrase ‘distracting innovation’ from a friend of mine. So thank you for that Gareth.

I have dedicated the last half of my career to providing my clients the only thing that makes sense to me; an appropriate security program that supports and enables the needs of the business. I have also chosen to predicate the implementation of that program on the following well established cornerstones. In order of importance:

Continue reading

Why the BA Fine Was So High, and What YOU Can Do To Avoid the Same

I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.

The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.

Continue reading

How Valid Can the IAPP’s Certifications Be?

I have made no secret of my distain for the ‘GDPR Practitioner Certification‘ badge, and I still have no time for it, or its recipients who pass it off as real-world experience. But what alternatives are there if you want to obtain some form of data protection certification / privacy education?

The de facto standard, and really the only player in town, is the International Association of Privacy Professionals (IAPP), and their flagship badge, the Certified Information Privacy Professional (CIPP), is the most widely recognised and respected acronym you can add to your CV/resume. It’s the equivalent of the CISSP for those of us in the cybersecurity industry.

Continue reading

Artificial Intelligence (AI)? You’ve Just Lost Two Buyers

I am absolutely sick to death of security vendors using the buzz-phrase Artificial Intelligence (AI) as a descriptor for their product or service.

Because:

  1. AI does not even exist yet, the most you can say is that it’s very clever programming;
    o
  2. Not everyone is a fan of AI.

So, by trying to claim your product uses AI, you have now alienated 2 types of people; 1) those who hate bullsh*t artists, and 2) the paranoid.

In cybersecurity, there are a lot of both.

Continue reading