In May this year we saw the go-live of the most significant change to data law (GDPR) in 20 years. Nearly every organization [that has personal data] has had to ensure compliance with this new law, and I suspect, like most CISO’s and DPO’s – we were all very busy checking or building the capabilities and structures necessary to ensure data breaches could be reported within 72 hours and compliance with the law could be met.
This law has significantly ramped up the power and authority of the CISO and placed the role of the DPO squarely on the map. The new law talks about (Article 32) appropriate and proportionate technical and organizational controls, but, also underlines the fact that the protection of personal data (i.e. the Confidentiality, Integrity and Availability) is now a legal requirement. This means that you have to really justify [and document], following a data incident or complaint/rights request from an individual, why you chose not to implement a particular control e.g. DLP, encryption in transit, RBAC, etc. The onus in now on us to prove we did everything possible, not the other way around, as it has been for many years.
In other words, every personal data location including its current status (plus archived data and unstructured data) needs to be known, with appropriate controls specified. That is to say, not every piece of data requires significant controls, but at the very least, your DPO and CISO [or CIO for smaller organizations] must know why (legal basis for collection), what (type and classification), where (data stores, cloud, third parties), when (retention schedules) and who (access control) – when it comes to personal data across your landscape or environment (including your third party data processors like outsourcers).
So the level of protection, compliance and governance surrounding data has received significant attention over the last few years and as a result, we have witnessed a significant uplift in the levels of protection, security, ownership and accountability.
This has also resulted in vast swathes of previously unknown individuals, typically known as data stewards, being nominated as data owners or data custodians, with new levels of responsibility. These employees have suddenly found themselves responsible, accountable and answerable for data protection, data subject rights and may have faced into the internal auditor, the DPO/CISO or in some unfortunately circumstances – the UK regulator. All may demand a status report on how you are demonstrating compliance with GDPR.
Data protection hygiene
The British Airways and Marriott data breaches are further examples of [potentially] poor data protection and security, or, as some would say, insufficient time and money being spent on the most critical areas of data.
Throughout my career, like most CISOs and DPOs, I have always encouraged organizations to understand where there most critical data assets lie, how the data flows from point A to B, and have tried to ensure that depending upon the risks [and level of vulnerabilities], that appropriate and proportionate risk-based controls are applied in full. With GDPR, this is now mandated and encouraged by the regulator.
This includes ensuring that every ingress point, every device and ideally, every person has the suitable level of access control relevant to the role they perform. Of course, it’s easy to blame the systems administrator, or the poor unsuspecting user whom innocently clicked on the phishing link, but the real answer lies in how they are using the data, where the data was stored, why the data was needed in the first place, think data minimization, when and of course - who has access to this data and how do you keep checking that only the right people have access.
Only when answering these basic questions, you begin to fully understand how your data is being used, what technology or application is being used to deliver the functionality or services, what procedures sit behind the use, who needs access [and why] and critically, where and when the data is most vulnerable [as this changes throughout a data’s lifecycle].
Any decent risk assessment methodology will reveal what controls are needed and which controls will add the most value, but it doesn’t end there. A risk assessment and subsequent penetration tests will inform the senior management where to focus efforts and cybersecurity experts, but it takes time, experience and knowledge about how your systems work, the people involved, the organizations culture and the processes needed to deliver, plus, how these exploits are carried out and how likely they are happen and how likely they are to materialize.
What does the DPO do?
So what can you do, as a DPO or CISO? You are heavily reliant on your security architects and your cybersecurity experts to tell you what they are doing, and they will no doubt talk about strategic ‘Defense in Depth’ [which means a layered approach], or how the latest application, or how the every-seeing eye of anti-virus and data loss prevention, plus how the state-of-the-art 24x7 SIEM/SOC will spot and contain any naughty behaviors in an instant.
It sounds impressive and often is, but what we need to knuckle down to is where and how the most precious personal data is being used, how it flows, where, why, when and to ensure the controls we stipulate fulfil our minimum obligations under GDPR.
Of course, Article 32 leaves a lot to the interpretation and does mention CIA, but it’s possibly the shortest of the Articles, and yet strangely enough, the single biggest cause of cybersecurity breaches, litigation action, fines and still one of the biggest causes of reputational damage - that could affect an organization share price and confidence of stakeholders, staff and customers.
So why is such little attention paid to such a large subject? Well, I suspect because the EU looked at the $150 billion size of the security industry, and thought ‘there is enough best practice out there, so why would we hang our hat on one particular model?’ After all, one size does not fit all and there is no silver bullet.
Red lines drawn
So, the approach I have taken is to ensure the CISO or security function have a minimum set of ‘red lines’ when it comes to personal data, and or sensitive personal data.
These red lines come in many forms, but I think it is fair to say that experience tells me that if you ask for too much you get very little, so I have ensured my minimum red lines are achievable and importantly – measurable and risk based.
Examples include forced password complexity [alphanumeric with expiry], encryption on data at rest and in transit, DLP on the endpoints, honeypots, active monitoring and alerts, active threat and vulnerability management, patching and of course the biggest weakness – people training and awareness [phishing, tailgating, forced wearing of badges].
However, whilst we are busy working on the legacy data, don’t forgot to ensure that you must mandate that all new projects, changes and upgrades to existing systems, process changes, new channels and new data collection points are all subject to the data protection by design review.
The data protection impact assessment (DPIA) should look at the project or solution and specify the harm or risks facing the individual and business should appropriate privacy controls not be applied.
In many organizations, this relatively new process is still bedding down, so my advice is at least ensure you have defined your minimum red lines when it comes to data security and push your business/data owners to demand from cybersecurity how they are achieving these minimum best practices.
Warning: Please do not ONLY rely on ISO27001 or other best practices to seek assurance that security is working, ask them instead to prove to you how they are demonstrating compliance with your minimum rules.
In summary, the DPO and the their team should be working hand-in-glove with the CISO/security team [including legal, compliance, risk and internal audit] to ensure that all the most appropriate risks and vulnerabilities are being adequately addressed, documented and managed.
Whilst it might be tempting to leave Article 32 to the cybersecurity experts, I’m afraid you’ll be leaving yourself and the organization potentially exposed unless you sit down with them and agree and your minimum red lines.