The General Data Protection Regulation (GDPR) is less than 265 days away from coming into force. By now, every IT security professional has heard about it, and the fear of non-compliance with the new regulation — due to its harsh financial consequences — is even reaching the boardroom agenda. But what is not being reported is that the GDPR is actually a very positive event.
Instead of viewing the GDPR as just another challenge, and one more regulation to uphold — it should be viewed as a positive force for change. In ClubCISO’s recent Information Security Maturity Report 2017, 79% of CISOs call out the GDPR as being a driving factor in securing much needed additional funding for the IT department. Additional finance for IT is always welcome, especially while security professionals are facing an ever increasingly complex threat landscape.
But the GDPR is so much more, it is an opportunity. The GDPR is one of those critical moments in time that can help future cyber security leaders take charge and add value to their organisations. It can change the status quo, and security strategy for the better.
Better boardroom relationships
The Information Security Maturity Report 2017 revealed that today, across boards in multiple businesses in the UK, a clear disconnect exists between the expectation and reality of how information security can and should be managed.
For example, CISOs naturally like to think of their roles as strategic. At the same time, as part of their day-to-day job, they rate strategy very low as a responsibility (6%). Their boards on the other hand think CISOs should prioritise this responsibility more highly (37%), and in reality that broadly equates with CISOs’ real life remit (35%).
The GDPR can help to change this. Not only are boards willing to invest more in solutions, right now — given that the regulation will touch so many parts of the business — it is actually driving CISOs to work more closely with their legal departments and supply chains. The last point is particularly interesting for CISOs as supply chains are traditionally difficult to audit and always seem to have security gaps. But today, CISOs are working more closely with vendors, tightening up control of third parties across the business and writing security clauses into contracts.
Overall the GDPR is a great opportunity for CISOs to form excellent working relationships with colleagues, and change the perception of IT as a slow moving cost centre to a proactive, strategic, problem solving machine. It also provides a chance to work together to reinforce the importance of good cyber security practices across the organisation, with the backing of almost every business leader.
An opportunity to change “the security of always”
For many years companies have focused their efforts on prevention. In fact, 78% of company boards still place their focus squarely on prevention capabilities, rather than response (just 22%). Preventing a breach is no doubt still utterly important within the context of GDPR compliance. However, the reality is that the majority of companies will face a breach at some point. And, if focused solely on prevention these companies, their CISOs and boards, will be found wanting — leading to monetary loss, reputational damage or at the worst destruction of the business.
Again the GDPR offers an opportunity for positive change. CISOs now have a chance to adopt a more holistic and digitally-driven fit for purpose security strategy. They can start focusing on recovery and prevention — in equal measure — and have a legitimate reason to engage the board in a conversation about the importance of this subject.
The GDPR is complex, and should not be downplayed. But the GDPR is also full of opportunity. It just needs CISOs to take a step back, and focus on the positives. After all, it was George Bernard Shaw that once said, “progress is impossible without change, and those that cannot change their minds cannot change anything” — and it’s never been more true. View the GDPR as a force for positive security change and enhancement, and it will be exactly that.
– Marc Lueck, ClubCISO Chairman