Gordon Morrison, director of government relations at McAfee, looks at how GDPR is a once in a lifetime opportunity to overhaul cyber processes.
With less than a year to go, numerous surveys have reiterated how businesses are not yet prepared – and in many case, have not yet started to prepare – for the upcoming EU General Data Protection Regulations (GDPR). One recent study, commissioned by Veritas, reported that 54 percent of businesses haven’t improved on their GDPR compliance readiness.
With new stipulations around data protection and reporting on breaches, many organisations are taking steps to bring their current procedures and capabilities up to the mark ahead of the May 2018 deadline. But, given the evolving threat landscape and wealth of new technologies introducing risk, CIOs and IT directors must ensure that the focus extends beyond meeting the immediate deadline, to building a cybersecurity programme that will better position the company to deal with future threats and procedural challenges.
While most CIOs and IT directors are approaching GDPR with concern, it perhaps presents a catalyst for positive change in an organisation. The new regulations are providing a once-in-a-professional lifetime opportunity to secure the budget and organisational support needed to overhaul IT and security procedures.
A call to action
While organisations across Europe have been slow to prepare, GDPR will have a massive impact on the way that any company that operates within the EU manages and protects citizens’ data. The legal framework outlines new rules that impact the entire data lifecycle from collection, processing and storage, to its usage and destruction.
These regulations are not prescriptive in terms of the specific steps and controls that should be taken, but dictates an outcome-oriented approach to protecting customer data. Failing to introduce the right measures puts organisations at risk of heavy fines for unlawful data processing, data breaches, or not appropriately reporting breaches.
The UK Government vocally backed GDPR in the Cyber Security Regulation and Incentives Review, which launched in December 2016. It its hope that organisations would approach GDPR as a wider call to action to achieve better cyber hygiene, in turn improving cyber risk management across the wider economy
Take the opportunity
With GDPR adding weight to the debate, CIOs and IT directors must take this opportunity to focus on the wealth of different technologies being introduced into the business. Many companies are looking at how mobility, cloud and the Internet of Things can drive transformation in their organisations, but this introduces new challenges in terms of cybersecurity and data protection.
For the first time, GDPR sets a definitive price on cyber risk – in addition to that which could be lost from stolen IP and brand damage. This, unsurprisingly, has brought secure data management and cybersecurity up the priority list. It’s important for CIO and CISOs to take advantage of this to secure the budget and internal support that will enable them to create a secure-by-default culture within their company.
Building a secure by default culture
With the risk of hefty fines, CIOs and CISOs will find themselves – perhaps for the first time – with the board’s full backing to introduce a culture of secure IT into the company. This support will enable them to get a handle on some significant security challenges that they’ve been facing, such as how to secure shadow IT.
The consumerisation of IT has meant that almost 40 per cent of cloud services are now being commissioned without ever involving IT in the procurement process, according to the McAfee Labs Report. And visibility into Shadow IT services has been dropping year on year.
Over two thirds of IT professionals report that this phenomenon is impacting their ability to keep cloud services safe and secure. This is unsurprising, given that more than half of respondents have tracked malware from a SaaS application.
GDPR empowers CIOs and IT leaders to clamp down on behaviour that increases risk, such as shadow IT – and with the support of a board that fears the ramifications of GDPR.
Digital transformation presents innumerable opportunities to the enterprise, but concurrently introduces a number of new data protection and security challenges. CIOs and CISOs must tackle this head on and ensure that the necessary processes are secure by default.
By harnessing the power of GDPR can CIOs and CISOs capture and keep the board’s attention and support to ensure that these new transformational technologies and processes are managed safely and securely. And while it will bring its own immediate challenges, it has the potential to revolutionise how organisations approach cybersecurity for the next professional-lifetime.