Having recently returned from the first phase of Carbon Black’s official General Data Protection Regulation (GDPR) Data Security and Privacy tour, where I participated in the data privacy and security enablement of numerous European global businesses, I’ve collected many valuable insights on the first of many steps businesses are taking to position themselves for success against the May 2018 GDPR deadline.
Along with the realization that there are still a significant amount of organizations that are still trying to sort out the grey areas of the GDPR, the overwhelming theme is still the same, and every business I met with expressed a desire to take active steps to illustrate their data security, usage, and privacy policies in the face of the GDPR requirements.
I’ve written on the generalities of data security in conjunction with the GDPR in a previous blog, listing some of the steps to start building context around one’s data security policy, but I wanted to add some additional context into the evolution of how businesses are dealing with the impending deadline at this stage of the game.
I’ve spent considerable time (the past year) collecting insights from companies where Carbon Black does business (Europe, UK, Asia, South Pacific, and North America), and have gained insight on prevailing themes businesses are facing, particularly when they look to solutions that can help them define their eventual GDPR data protection and cybersecurity policy.
With that research, I’ve arrived at some conclusions and I wanted to add some common-sense clarity and perspective on the role of a security vendor solution within a GDPR security program.
Carbon Black’s methodology and value to the GDPR data security requirements contains many of the standard components associated with recommendations, amendments, and acknowledgements of the counsels who created the security protection parameters. However, we take a different approach to the collective noise that centers around positioning a security solution into place against the impending GDPR deadline.
Carbon Black’s contribution to the standard involves driving data security prioritization around business process and business justification, in concert with the required data and threat analysis. All that to say our approach is to align data security policy with the security controls responsible for protecting that data. The following diagram illustrates how we align security controls against the cyber threat kill chain:
Along with that alignment comes visibility and intelligence to help measure necessary business goals as well as the risk to those controls across the enterprise. I believe one of the most important items that all companies need to address when considering the GDPR and how they are viewed in relation to the data privacy standard is transparency. Those who can showcase the way they use and, more importantly, protect data will be at an advantage as the mandate moves forward next May.
When analyzing many requirements necessary to gain transparency in terms of data privacy, it’s easy for businesses to get overwhelmed, especially if security by design is not part of their culture. At Carbon Black, we have always advocated building security into business policy. We view the necessary requirements needed with the GDPR as an opportunity for all organizations affected.
We use the security requirement guidance of the GDPR as a conduit to drive good data privacy behavior and data security hygiene. Used in a positive way, the guidelines listed in the GDPR are an opportunity to engage with businesses and promote risk measure that will help shore up security and data usage policies worldwide. Used in a positive way, it can help drive businesses and consumers into constructively having a “trust conversation” as well as enabling transparency for businesses who are applying data security.
The Carbon Black approach focuses on the following in association with the GDPR:
- Using our security policy framework starting with security awareness as a first stepin the data security audit process to help organizations understand their responsibilities for data privacy, essentially enabling all the stakeholders to contribute to the role of the DPO (Data Protection Office).
- Enforcing and implementing a baseline security measure: Helping align global security and data protection frameworks that will enable long term advancement of data privacy. (using policies and baselines like NIST, PCI DSS, and ASD to measure the protection of consumer data).
- Implement technology and solutions that can measure the enforcement of security controls.
- Enabling businesses to gain control of their data privacy policies by increasing visibility and threat event intelligence measured against a trust policy, enabling the enterprise to filter out noise in their policy.
- Provide a security framework that enables businesses to display full transparencyon both data use and the protection of data with their consumers.
The application of these controls is nothing new. We have known about the benefits of security risk measurement, visibility, and threat control for quite some time. When security policy and controls are aligned with the business process early in the development of security policy, the result is a mandate that will be more conclusive, with stakeholders aligned. It is also one that will be utilized for the long term. Complying with the GDPR by the 2018 deadline is another one of the positive net results of these measures.
Want to learn more? Register to watch Change Liability for Accountability – GDPR with Cyber Security Risk Measurement, featuring Chris Strand, Christopher Strand, Sr. Director, Compliance and Governance Programs, Carbon Black, Andrew Barratt, Managing Director – International / Managing Principal Application Validation, Coalfire, and Adrian Davis, Managing Director, (ISC)² EMEA