Sam Curry, CSO at Cybereason, weighs in on the upcoming GDPR.
The European General Data Protection Regulation (GDPR) is coming, and if you have any affiliation with security or privacy in your professional career, you’ve seen vendors and service providers hawking FUD (Fear, Uncertainty and Doubt) for almost a year now. As with many regulatory issues over the years, I’m reminded of what a consultant friend of mine told me in an early wave: “If you can’t be part of the solution, there’s good money to be made in prolonging the problem.”
Even with GDPR “going into effect” on May 25th and claims of fines “up to 4% of turnover” all over the mini-sites and brochures of companies seeking to make money off the regulatory-expected boom: don’t panic! Should you take GDPR seriously and make it a big part of your operations and procedures? Absolutely.
However, the objective of GDPR is to update the former, aging privacy directive that is not only outdated and ineffective but is positively venerable at over 20 years of age. GDPR does not fail to deliver here, but it isn’t a ticking time bomb by any means. Many aren’t even aware that GDPR is already the law and the upcoming May milestone is merely an enforcement milepost, or that the 4% penalty threatened is really a worst case scenario and not the immediate, reflexive penalty for non-compliance.
Watch the video below to find out more about GDPR
What GDPR does in many ways is update the very notion of privacy for a lot of the world, not just Europe. Japan is following suit modeling its legislation on GDPR, but it’s to be hoped that more jurisdictions will continue and build on this too in many ways. The notion of what constitutes personal information is being expanded dramatically, and who is affected is also being expanded. A simple Google search can give a lot of details, but a good rule when doing so is to avoid the FUD and be cautious as you read.
What GDPR really means
At the heart of the GDPR are two things: the need to treat citizen information as a top priority and the need to practice security properly and with a rationale. Add to that working with regulators and husbanding resources and advancing a program effectively to minimise risk, do nothing egregious and frankly do security right, and a company should be in good shape.
There are many formal definitions for security, but one of the most pragmatic that I use is the “cost to break” a system. When the cost to break for a practical attacker drops, then security is getting worse and when it rises, then security is improving. This isn’t necessarily correlated with privacy, but I like to think of a pragmatic understanding of privacy has to do with the “cost to learn” about a person or group in a connected world. If your company is meaningfully reducing the cost to learn about a person or group’s activity, affiliations, identity, relationships, interests and so on, such that someone could more cheaply build a dossier without that person’s knowledge, visibility or control, then you are harming privacy. GDPR will do more to advance the cause of privacy than any other direct measure in 20 years.
However, this will cause some problems. As reported in the Guardian recently (https://www.theguardian.com/technology/2018/feb/06/gdpr-data-protection-law-scammers-whois-tools-internet-european-privacy), services like Whois have to rethink what information can or can’t be shared. No doubt, many more such public services, some of which are beneficial or important to the public trust in the Internet or to vital services, might be impacted. However, even here, I say “Don’t Panic!”
The universal response to GDPR (and to any other looming doomsday predictions touted in webinars) should be “Don’t Panic!” and then get methodical. There are two things to do here that are critical. The first and most difficult is to get the program right: identify the vision and mission of the department, work with non-security teams to align to the business, establish a framework, work through the details with the direction of the program in mind to get controls and make it a living document.
The second piece is to use peacetime to prepare for crisis. In a crisis, our judgment and rationality become clouded. This is a natural side-effect crisis response when our brains flood us with cortisol and we experience the fight-or-flight response. This means you have to prepare contingencies now, practice what you will do when the unthinkable happens. Get in the habit of responding to these, so the reflexes, tools and mechanisms are there to succeed.
You will, in the end, have earned the right to not panic and to deal with the FUD from the market because you’ve done the homework and have built a business-responsible, flexible security machine. That’s the goal here, but even if you aren’t ready and haven’t done all this, deal with it one day at a time and avoid panic. To paraphrase Frank Herbert’s Dune, fear is the mind killer; and will most assuredly kill the rationality of the security department if not resisted.