Today marks the implementation of the EU’s General Data Protection Regulation (GDPR). Two years of educating, planning and preparing, not to mention significant investment, to meet compliance requirements has led to this moment.
It’s a new era for data protection in Europe and beyond: extensive rights for citizens and responsibilities for organizations aimed at improving privacy and mitigating the risk of cyber-attacks and data breaches. Yet, with this slated ‘gold standard’ of protection now in place, what comes next for cybersecurity professionals, particularly for the CISO who has been leading efforts to be compliant from a security standpoint?
The work for GDPR has just begun
Now that the implementation date has arrived, it would be simple for CISOs and cybersecurity professionals to see GDPR as job done. Yet the task to comply with GDPR does not finish today. Cybersecurity professionals will play an intrinsic role to ensure compliance is maintained long term.
For example, cyber professionals will always be monitoring for any abuse, illegal access or breaches and then working with the legal team and Data Protection Officer to report it to DPAs (or publicly if needed) should one occur.
In addition, while Fortune 500 firms have invested a combined $7.8bn in preparing for the regulation, the majority of organizations are still working towards being fully compliant. Our research launched last week found that 85% of companies are not ready for the legislation, with one in four unlikely to be fully compliant this year.
For CISOs of firms that aren’t compliant the ‘what next’ is more of the same, but with increased urgency: leading their organization to build their “privacy by design” and “secure by default” processes while balancing prevent/protect and detect/response capabilities.
Additional legislation
While Europe’s attention has been heavily focused on GDPR, there are other regulations which CISOs and cybersecurity professionals must manage. Most notably is the Networks and Information Security (NIS) Directive, which aims to improve the EU’s preparedness for cyber-attacks, particularly on critical infrastructure such as energy, utilities, finance, healthcare, digital infrastructure and transport. This regulation means that CISOs operating in these industries and the public sector will have to implement high defenses against cyber-attacks.
While GDPR focuses on personal data, this regulation is about system-level infrastructure, and so will be a great challenge for the relevant CISOs. We may also envisage the trends around AI and IoT as big issues to handle in a near future.
The changing role of the CISO
Aside from regulations, there is also a wider shift taking place in terms of the CISO’s role. Historically, the CISO had to not only assess risk and comply with ISO 27001 standards, but also protect a firm from hacking and malware with tools and processes for data confidentiality and infrastructure availability. GDPR has changed this, separating the CISO role from that of a Data Protection Officer (legal and IT profile), allowing the CISO to now focus on business and security specifics around digital transformation and the cloud journey.
The evolution of the CISO’s role goes much further than delegating data protection: they also have a crucial role in new digital product development and improving the firm’s bottom line.
At present, many firms go to market without considering embedding security in the product or service. Now, instead of cybersecurity being an afterthought, CISOs will be involved from the start to ensure all new offerings are GDPR compliant and secure by design from a business, legal and technical standpoint.
In turn, this will result in a bottom-line boost for their business. Our research indicated that of those consumers who are convinced an organization protects their personal data, 39% have purchased more products and increased spend with that firm as a result.
This increased spending is substantial, with these consumers spending as much as 24% more. As a result, it’s likely the business will begin to see the CISO as a more important strategic function, meaning their responsibilities increase beyond defensive work to building products and the firm’s brand.
New role, old job title
The shift to cloud will also have a transformational effect on the CISO’s role. Although firms are aware of the potential operational benefits and increased profits of moving their systems onto cloud infrastructure and services, many are still afraid to do so due to cyber risk (data location, access and sovereignty).
Recent Capgemini research found 46% of firms think concerns over cybersecurity are the number one challenge in the move to cloud. Therefore, CISOs will have a crucial role in helping a firm digitally transform and move to the cloud while protecting its data. Perhaps we will even see the evolution of the job title to ‘Cloud and Infrastructure Security Officer’. Still a CISO!
GDPR is the start of a new era for cybersecurity professionals and, in particular, CISOs. While it remains a critical role of the CISO to ensure their business is compliant, with GDPR and other legislation, there’s also a large opportunity.
CISOs and cybersecurity professionals now have the chance to really perform a strategic business function: improve customer experience with data protection and help the firm digitally and securely transform with cloud.