A new year is almost upon us, and that means one thing: resolutions. Easily made, even more easily broken, they’re nevertheless a useful way of setting goals for the next 12 months. We asked Brian Honan, Tracy Elliott, Sarah Clarke, Valerie Lyons and David Prendergast to share their tips for information security practitioners and privacy professionals. Here’s what you can do differently or better to protect your organisation and its critical data in 2019.
The first resolution is to attend at least two cybersecurity conferences this coming year. Choose the events well, and they can be a great source of knowledge and learning to apply in the daily security role. “It’s important to pick conferences that you feel will help you learn, not a vendor event that’s about how great their products are. Look for conferences that provide independent speakers, or topics on areas of interest to you,” says Brian.
Another reason to go to more conferences is the valuable opportunity to network with peers. “Sometimes we learn more from talking to others thanfrom training courses or reading articles,” adds Brian.
Resolve to take key business leaders in your organisation out to lunch, to discuss the challenges they face and understand how security can help them to address those challenges. Those lunchtime conversations can uncover important business needs. For example, HR might have difficulty retaining staff. Devising a secure way to let certain employees work remotely, or from home, could help employee retention rates without putting sensitive data at risk. Similarly, the marketing department might need a way of exchanging large documents and files with external design houses or ad agencies. But how is this possible if the company restricts mailbox sizes and blocks file sharing platforms like Dropbox?
These lunches can help to position the security function as a business enabler, not an obstacle to getting things done. It’s about finding workable solutions that maintain security because otherwise, people will find their own workarounds – and that introduces risk. “When you meet with your business peers, you can better understand their challenges. It becomes about how I as a security professional support that business objective while protecting the company’s key assets. Rather than ‘no”, the security practitioner says ‘yes, but’. Or better still, ‘yes and this is how we recommend you do it’,” says Brian.
Brian’s third tip for security practitioners is to try and sleep more. By his own admission, it’s slightly tongue-in-cheek but there’sa serious point behind it. There’s a growing conversation around the high levels of fatigue and stress in the profession, leading to burnout. “To be effective, we need to look after our own personal health. It’s important to take steps to ensure we can keep ourselves in the best condition to do our jobs. It’s trying to make sure you’re compliant as well as your security programme,” Brian advises.
Turning to privacy, Tracy Elliott predicts 2019 will see activity around the General Data Protection Regulation [GDPR] move from theory to practice. “A lot of 2018 was about writing data protection policies and putting governance structures in place. The next 12 months will focus on training people in specific jobs in what they need to know about data protection,” she says.
The responsibility for training and awareness falls to an organisation’s designated data protection officer (DPO). That ranges from simple things like posters in staff canteens to help refresh people’s memory about, and awareness of, GDPR. Then DPOs should identify key roles in an organisation,who need tailored data protection training that reflects their specific job. For example, a nursing home healthcare assistant needs to know about speech privacy as part of protecting sensitive patient information.
Even as confusion surrounds Brexit, it’s time to plan for whatever the outcome might be. (Insert your own joke about seeing the words ‘Brexit’ and ‘plan’ in the same postcode, let alone the same sentence.)
Sarah Clarke points out that a future adequacy agreement is not certain between the UK and the EU. It’s possible that in the event of a no-deal Brexit, the UK will become a third country outside of the EEA. That would mean all transfer of data between Ireland and the UK will be considered as international transfers.
With this in mind, Tracy Elliott says data protection officers should review their organisation’s processing activities. They should identify what data they are transferring to the UK, and whether that includes data about EU citizens. “Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she says.
Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that havesubsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to becovered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses [MCCs]. They are a set of guidelines issued by the EU,” Tracy advises.
Here’s where contingency planning is vital. “Use of MCCs has its own risks as they are due an update to bring them into line with GDPR,and Privacy Shield [the EU-US data transfer mechanism] is still on trial,” Sarah warns. However in the short term, MCCs fits the bill both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” she adds.
Sarah points out that regulators won’t tolerate inactivity. That said, they may grant some leeway if an organisation decides on a particular approach and documents its reason for doing so – even if that approach needs to change later. In other words, doing nothing is not an option – a bit like the best New Year’s resolutions.
Valerie Lyons writes: “If we look to the US patents office, we see the top patents of 2017 fell into cloud, AI, machine learningand big data. Privacy regulation alone will not be able to address the challenges associated with many of these technologies. Gartner agrees, highlighting Digital Ethics and Privacy as one of its top trends of 2019. Privacy practitioners should familiarise themselves with digital ethics frameworks and look not just at privacy governance but information strategy and data management.”
Sometimes, working as a security or privacy professional can feel like the circus act who keeps plates spinning. There are so many things to do, and so many places in the organisation to start mitigating risks. All the time, there’s an audience of compliance officers, auditors, regulators and bosses, waiting to see if one of the plates will drop. “Stop prevaricating. Pick one initiative and get it done, rather than starting three things and finishing none. That way, you’ve achieved something tangible you can point to. And it’s one less task on the list,” says David Prendergast.
When it comes to security awareness strategy, as a certain sportswear company might say, just do it. “Don’t wait for a big budget. You don’t need huge sacks of money to explain to people what the risks are, and why they need to change behaviour,” says David. “Security professionals can often be quite shy of talking to IT people because we think they want us to fail. They don’t. They read different press, and if you just tell them the basics, you might just win some allies.” David also agrees with Brian’s point about collaborating more during 2019. “Talk to your colleagues and talk to your peers; they’re probably struggling with the same issues you are. The only daft question is the one you didn’t ask,” he says.
What resolutions have you made for 2019? Let us know in the comments below.