“By ensuring that the enterprise has the appropriate skills, advice and guidance embedded within its governance, risk management and operational business practices, the objectives of good cyber security and data privacy are understood and endorsed at executive level,” says Adam Harrison, Head of Information Security, Gemserv, in an exclusive interview with ITSecurityWire.
ITSW Bureau: What are the data challenges faced by today’s enterprises?
Adam Harrison: The most important challenge is mastering the ability to understand the true business value and regulatory issues associated with the data held. Consider for a moment the scenario where an enterprise is processing millions of data records, some of which may (or may not) fall within the scope of GDPR or financial services regulations.
In this scenario, the enterprise subsequently decides it wishes to migrate its data architecture to the cloud whilst simultaneously implementing new business intelligence capabilities designed to derive additional business value from the data—all the while ensuring that its data remains secure.
The question needs to be asked as to whether the enterprise possesses the skills, resources, or true understanding of the technology required to conduct this exercise comprehensively whilst remaining compliant.
Do they fully understand the issues they will face? The mindset “.. of course our data is secure and compliant, it is in the cloud…” must be avoided. Instead, they should have a well thought through migration plan or roadmap with input from expert stakeholders that fully addresses the security, regulatory and compliance challenges should be the first priority.
ITSW Bureau: How can enterprises harness the power of data while staying compliant with data and also other regulations?
Adam Harrison: By producing policies, standards and plans that are fully aligned with regulatory guidance, enterprises need to ensure that toolsets are configured to provide evidence of compliance (e.g., Audit). In the UK, most regulatory bodies, including the Information Commissioner’s Office (ICO), provide a host of tools and good practice guides that are designed to help enterprises with these types of challenges.
I would include in this the requirement to ensure that the contractual schedules that enterprises may have with their IT or Cloud Service provider spell out precisely the respective obligations under GDPR. This is a complex area, and there is no substitute for expertise when required.
Having an expert legal review completed of an enterprise’s intended approach to demonstrating compliance is an extremely valuable exercise. Most London practices retain expert counsel in Data Privacy.
What, according to you, can help enterprises to develop an effective methodology for embedding a secure approach?
Adam Harrison: By ensuring that the enterprise has the appropriate skills, advice and guidance embedded within its governance, risk management and operational business practices, the objectives of good cybersecurity and data privacy are understood and endorsed at the executive level.
The appointment of a Data Protection Officer (DPO) to oversee and remain accountable for data privacy matters on behalf of the executive is an excellent first step. If the skills do not exist internally (even with training), then there are a number of legal and consultancy practices that provide virtual DPO services.
The DPO is responsible for the implementation of policies, procedures and risk management mechanisms that are intended to keep the enterprise compliant. By ensuring the DPO has visibility and input into ongoing projects, the business can remain confident that they are following good practices such as undertaking data privacy impact assessments (DPIA).
DPOs often work in partnership with the Chief Information Security Officer (CISO) in order to ensure that the cybersecurity and data privacy objectives of the enterprise are implemented in a complementary manner.
These are key roles that require executive-level support in order to effectively mitigate the appropriate areas of risk via the implementation of good practice based risk frameworks such as NIST, ISO 27001 or NISD.
ITSW Bureau: What trends will define data security in the foreseeable future?
Adam Harrison: Undoubtedly, the ‘dash for the cloud’ will increase and the appetite to migrate traditional ‘on premise’ infrastructure into cloud service providers will continue at pace. What is yet to be realized is the extent to which enterprises fully understand the security implications of cloud-based architectures.
In particular, the purchase of Paas and Iaas services do not necessarily guarantee that the security and compliance requirements of an enterprise are included ‘by default’ within the contract that is actually signed.
Most service providers operate a ‘shared security model’ for cloud services, which means that explicit security responsibilities remain with the enterprise. Additionally, enterprises should not automatically assume that their cloud-based infrastructure is covered by security management capabilities such as Security Incident Event Monitoring (SIEM).
SIEM services often require to be purchased separately and given the complexity of SIEM toolsets, including the potential requirement to cover Cloud and on-premise (hybrid) cloud deployments, can require deep technical expertise and be complex to configure in accordance with the required protection profile.
Businesses need to enter into contractual negotiation with cloud providers in full understanding of precisely where the responsibility and accountability for security rest, including where hidden costs might exist for ‘add on’ security services. Increasing our understanding of these complex issues and the associated nuances will define how well our data remains protected.
Adam is a leading cyber security specialist with over 25 years’ experience in the industry. His specialism covers Military, Defence, Homeland Security and Law Enforcement. Adam leads the development of new capabilities, risk and cyber threat mitigation in the UK and in an international context, including the Five Eyes community.
As a senior, trusted cyber security advisor to the Government, he provides strategic advice and guidance across multiple business sectors helping our clients at Gemserv solve complex security and risk management challenges.