Don’t think about the new EU General Data Protection Regulation (GDPR) in terms of fines. Think about creating a culture of privacy and security by design.
What does that mean? While such an approach will encompass personal data protection and cybersecurity, this is about much more than personal data and technology. Just because the ‘D’ in GDPR stands for ‘data’, you can’t just turn on a data loss prevention (DLP) solution and consider the job done. Even with a technology-led approach – and don’t get me wrong, adopting more DLP tech is a good thing – any organisation still has to think about the business processes it affects, the breach detection processes it affects, the people who will operate that technology, and those individuals whose data is processed – as they face personal risk.
Sticking with the people for a moment, across an organisation you need to see how various roles are affected. That means from the general user, to privileged users to senior executives or leaders.
Then with the business processes, what are the data flows and what’s affected by the collection, storage and usage of personal data? The proper technology and procedural controls have to be put in place.
So the way to do all this is to adopt frameworks like those that follow here. First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.
Reviewing Security Strategy:
This new regulation certainly raises the bar for data protection within an organisation. Preparing for the various protection and reporting conditions of the new regulation – within an interconnected, fast-moving digital enterprise – demands a holistic review of security strategy across governance, people, process and technology:
In many circumstances, preparing for the new regulation requires the appointment of a data protection officer who is responsible for organisational compliance and communication with supervisory authorities. Moreover, given the high fines that can be levied for violations, GDPR has board-level attention, which most likely requires new internal reporting structures and a continuous compliance culture. These structures are essential to developing a successful data protection programme for the long term.
Within any organisation, data security is everyone’s responsibility, not just the guys in security ops. It’s essential that all people from executives to users, administrators and developers be educated on how to protect data and ready to challenge when shortcuts are proposed. Making our people part of the solution and not the problem goes a long way in developing a culture of security and privacy by design.
Several key security and business processes should be reviewed for applicability and current state of capability. This review should take a comprehensive look at data collection, flows, processing, storage and handling to get an understanding of the scope of the issue. Key data protection processes include classification and monitoring, as well as application development and security testing.
We should think about a security system that allows you to protect data at rest, in motion or in use while enabling rapid detection and response to a breach. Organisations should review whether their current best-of-breed security technology strategy will deliver the effectiveness needed to keep pace with new threats and enable the operational efficiency needed to stay within budget.
Measuring Security Outcomes:
Assessing GDPR-readiness requires a review of the organisation’s current security programme. The following cyber security outcomes are critical to any organisation undergoing digital transformation and are the main pillars of any GDPR-readiness preparations. Your security solutions should enable the technical building blocks at the endpoint, network, cloud and SOC to work together as an orchestrated system that delivers the prevention, detection and response capability necessary to deliver the key outcomes.
Neutralise Emerging Threats
Malware infections and exploits of application vulnerabilities are key attack vectors that lead to data exfiltration. Advanced threat defences at the endpoint and network can harden the attack surfaces against known and unknown malware. In the SOC, leverage threat intelligence from multiple sources to proactively hunt for attackers.
Protect Vital Data
Any good data security programme must have the capability to protect, detect and correct against accidental data loss or malicious theft attempts. Encryption and data loss prevention (DLP) technology are fundamental to preventing accidental data loss incidents. In the SOC, SIEM combined with advanced user behaviour analytics will be the key enablers to identify and investigate insider threats.
Protect Cloud Environments
Software-as-a-service (SaaS) and cloud-hosted applications present particular challenges for GDPR preparations. However, many organisations use separate cloud and enterprise security solutions, which can create gaps in visibility and protection. Think about a unified security system that allows you to extend protection, detection and correction capability to cloud environments easily.
Optimise Security Operations
Many security operations centres lack capabilities for data breach detection and response. A critical requirement in GDPR readiness is being able to report within three days, so it’s essential to develop data breach playbooks within security operations. Additionally, orchestration technologies can help bridge gaps and speed up incident response.
This is my recommended framework, starting with the four dimensions of security strategy to get to a culture of security and privacy by design.
The second half of the framework shows how security must be approached to get the right GDPR-ready outcomes.
Getting ready for the GDPR should be front of mind for enterprise business and security executives this year, who should prioritise investments and implement new programmes or solutions that ensure the business is ready for the enhanced regulatory environment.
How ready are you?
The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.