‘Complete The Puzzle’: Tackling GDPR, Improving Security Posture

Dan Gunderman
Posted: 01/24/2018

Governance, risk and compliance (GRC) is quite a substantial cyber security topic – especially in the face of a definitive data regulation measure from the European Union (EU), cracking down on organizations that handle and process EU citizens’ data.

This trickle-down effect will likely impact countless businesses worldwide – and the U.S. is not excluded from that conversation. The measure, called the General Data Protection Regulation, will certainly have teeth, as enterprises could face fines in proportion to their yearly revenue.

GDPR, adopted April 27, 2016 and enforceable as of May 25, 2018, comes into effect after a two-year transition period. However, governments do not have to pass enabling legislation – it is binding from the outset. How will enterprises handle this added pressure?

We spoke with cyber security legal expert, Jamal Hartenstein, about this measure and the general regulatory environment currently governing cyber security.

On the impending GDPR and any heightened activity within enterprises to become compliant, Hartenstein reiterated that GDPR expands upon previous regulation and introduces new concepts. Some of them include: the appointment of a Data Protection Officer (DPO), the widened territorial reach of the regulation, adjusted consent policies when it comes to withdrawal options and an expanded definition of personally identifiable information (PII) – meaning data relating to “an identifiable natural person.”

See Related: State Of The Union: Layer Security Or Prep For Legal Battles

What’s more, Hartenstein expanded on the DPO topic – saying there has been some back and forth as to whether that individual should have a legal background.

“I welcome any discussion on why DPO selection should be a cyber-aware lawyer (obviously not just any JD will do, because there are so many specialties),” Hartenstein said. “I understand both arguments, but I see it like this: If you can afford a DPO-lawyer combination, hire it, because if your organization is faced with GDPR sanctions, you will be hiring a lawyer anyway, so why not have the strongest cyber-warrior in place even before a battle ensues?”

More generally, Hartenstein called for a collaborative effort between privacy, risk and compliance officers, CISOs, COOs and CIOs to “understand what exposure they have to GDPR.”

Hartenstein advised enterprises to actively establish RACIs (responsible, accountable, consulted and informed plans), refresh/review policies so they’re “unambiguous and relevant,” and manage consent options for consumers/data-owners.

Outside of the direct clutches of GDPR, Hartenstein also touched upon federal efforts in the U.S. to button up its cyber security practices. He pointed to the enrollment of federal agencies onto a cyber security dashboard administered by the Department of Homeland Security (DHS).

“The federal government’s agency dashboard is naturally and inherently part of the grand plan (outlined) in Executive Orders (EO) 13636 and 13691,” he said. I’ve seen this coming since 2013…”

“More and more government oversight is coming hard and fast,” Hartenstein explained. “Well, not so fast – FISA (the Foreign Intelligence Surveillance Act) started in 2008 (the House recently voted in favor of Section 702 of the act), and the timeline in the 2013 EO for such activity was 150 days…”

See Related: Practitioner Q&A: Cyber Security's Focal Points For 2018

Hartenstein added that the “dashboard” is a “piece of a puzzle orchestrated long ago.”

“I think the closer we reach to completion of the puzzle, the stronger our defensive cyber-tactics will be,” he said.

“The overall plan set out in the Obama Administration’s 2013 EO is being carried out under the current administration and with the (2015) OPM (Office of Personnel Management) breach and others still feeling recent, I think a dashboard to detect anomalous activity among agencies is an improvement.”

On what governments can do to assist in efficient cyber practices for small or midsize businesses (SMBs), such as cyber security guides, Hartenstein said, “Food, health and safety regulators have provided guidance for years. So it’s only fitting (that) increased guidance from regulators of cyber security would be helpful.”

“A small business should…be provided with guidance (comes in the form of regulation sometimes) as to consumer data safety as well,” Hartenstein added.

This more structured cyber platform also expands upwards, to the large enterprise. Recently, Intel announced the creation of an internal cyber security group – likely to introduce safety measures and protect its brand reputation in the wake of the Spectre and Meltdown vulnerabilities.

On whether large, established enterprises will continue this trend, Hartenstein suggested that it is encouraged by EO 13691 – which promotes private sector information sharing.

“Intel’s formation of their new internal cyber security group is indicative of…an ISAO-SO (what federal agencies recognize as an ‘Information Sharing and Analysis Organization – Standards Organization').”

Still, Hartenstein said the specific response could be a “proactive” approach as a “reaction” to the related EO. “Regardless of motives or incentives, it’s excellent posturing and press.”

Dan Gunderman
Posted: 01/24/2018
The Baronette Renaissance Detroit-Novi Hotel, Novi, MI, United States
March 25 - 27, 2018
Dusit Thani Hotel, Abu Dhabi, United Arab Emirates
March 26 - 28, 2018