I was at a recent IDC security leaders\u2019 dinner where the topic of GDPR came up again, with discussion on perceptions to it. The question was whether security leaders see it as a \u201cglass half empty or full\u201d scenario:<\/p>\n
Do you see the regulation as an opportunity to embrace the opportunity to review and evolve your cybersecurity capabilities to leapfrog today\u2019s requirements, building something that can scale for the future? Or is this another regulatory burden that companies must \u201cget through\u201d to move on to the next daily challenge?<\/p>\n
Having been a strong advocate of the opportunities GDPR provides for the last couple of years, I\u2019m still struck by the variety of emotional responses I get from security leaders when discussing the legislation. I draw the parallel to the five stages of bereavement.<\/p>\n
For many the first response is denial<\/em><\/strong>. I\u2019m struck by how many still either don\u2019t believe it will impact them, or don\u2019t believe penalties will be applied; therefore, they don\u2019t need to take it seriously (at which I\u2019m struck by why they don\u2019t see the societal value). The reality is that, no matter how much we chose to ignore GDPR, it is happening; and we must make the positive decision on whether we choose to embrace it or not. Typically getting through this emotional state is a challenge of education.<\/p>\n This leads into the next stage of anger<\/em><\/strong>, which I would exemplify through the statement of \u201cJust tell me what I need to do!\u201d. Unlike standards like PCI, which is an industry-lead requirement that is very prescriptive (you must have X & Y), GDPR contains very few clear technical definitions. For example, what is \u201cstate of the art\u201d or \u201csecurity by design and default,\u201d and when does a breach really start? Security practitioners like things black and white; the regulation is shades of grey. It requires each of us to work across our business teams to interpret and define exactly what it does mean to our business, and how we quantify and qualify this both to our business and third parties.<\/p>\n All too often I\u2019m seeing this lead to bargaining<\/em><\/strong>. To quote one instance, \u201cWe have been working with our legal team and will argue the definition of a breach does not apply effectively\u201d.\u00a0 Whilst I\u2019m sure a few will gain some early successes with this, to me, it feels like swimming against the tide. I can only expect definitions to be tightened where needed, but the underlying intent of the regulation is clear: protect citizens\u2019 personal information and drive confidence in the use of technology in today\u2019s society.<\/p>\n Essentially, at some stage, most go through depression<\/em><\/strong> (the cup half empty, which is, \u201cThis is real and happening, and you can\u2019t ignore it or wriggle around it\u201d). This leads to the reality that we need to understand just what the gap is between where we are and where we need to be, gathering the budget and support to achieve this within the business. This is the point to switch to the half-full cup, if you haven\u2019t already. How often do you get the opportunity to step back from the daily cyber grind and review and re-architect with an eye to the future? Most of us are stuck with a lot of legacy that this is a perfect opportunity to phase out.<\/p>\n The reality is that, whether we like it or not, we end up at acceptance<\/em><\/strong>: It is happening; GDPR goes live in 2018, and any one of our businesses could be held to account either as a result of an incident or, I suspect for many the most likely cause will be, a third party in your supply chain requesting evidence of your compliance as they look to achieve their own. I can share with you that I'm aware of companies already getting such requests.<\/p>\n So, what are the takeaways here? All too often cybersecurity is treated as a technical challenge. Yes, we are improving in the social attack aspects (social engineering\/the insider attack). But in this instance, there is a human aspect we must factor in. As you map your business strategy to adhering to the new GDPR legislative requirements, you need to build in time for your own emotional journey, as well as realize that others in the business also need to go on their own emotional journey. Consider what you can do to help short circuit this; get educated and discuss with your peers both inside and outside your own business.\u00a0 Don\u2019t assume that all your stakeholders are at the same point of the emotional journey you are, but take the time validate where they are and how you can nurture them through to maturity. GDPR is coming; it\u2019s a positive opportunity to improve our own cybersecurity capabilities and a pivotal change to ensure confidence as we become an increasingly digital society.<\/p>\n","protected":false},"excerpt":{"rendered":" Do you see the regulation as an opportunity to embrace the opportunity to review and evolve your cybersecurity capabilities to leapfrog today\u2019s requirements, building something that can scale for the future? Or is this another regulatory burden that companies must \u201cget through\u201d to move on to the next daily challenge? EMEA CSO Greg Day shares his thoughts on upcoming E.U. Legislation.<\/p>\n","protected":false},"author":150,"featured_media":20190,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1766],"tags":[432,2684],"coauthors":[1466],"class_list":["post-24579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cso-perspective","tag-emea","tag-gdpr"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2016\/09\/CSO-web-banner-650x300.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/24579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=24579"}],"version-history":[{"count":5,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/24579\/revisions"}],"predecessor-version":[{"id":24618,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/24579\/revisions\/24618"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/20190"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=24579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=24579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=24579"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=24579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}