Big data is getting bigger and the challenges for information technology and security professionals are becoming even more complex in the face of more stringent regulation and legislation.
These days’ companies increasingly rely on data that they obtain through various means to fine tune their product and service offerings. At the same time the value of data as an intangible asset is becoming increasingly important when it comes to valuing a company. Traditional intangible assets include patents, trademarks and copyrights. However, data is now providing companies with not only a competitive advantage, but also additional income streams – and data is big business. According to an article in the Wall Street Journal these types of intangible assets (including data) are now worth around $8 trillion globally.1
It has become increasingly clear that data is playing an important part in defining exactly what a company is worth – and in some instances making a huge impact on its bottom line. Take for instance Supermarket operator Kroger Co. in the United States. This company uses data from over 2,600 stores and its vast legion of loyalty card holders as a basis for a $100 million side business (according to Douglas Laney, an analyst at technology research and consulting firm Gartner Inc.) where it sells that data to vendors who track purchasing trends. The sheer value of data, use of sophisticated technologies and the complexities of protecting it, while still respecting the rights of individuals in respect to how that data is treated is making it increasingly important that information and security professionals keep abreast of the changing regulatory environment.
Converging skillsets for privacy, information technology and security
The increasing importance of data, and the complexity involved in handling that data has led to companies to re-evaluate how they approach issues of privacy and the skillsets and organisational frameworks that are necessary to cope with these changes. For many companies, old school management processes and professional skills and the way that these skills are leveraged and deployed may not be optimal. Information technology and security experts need to be aware that the challenges they face are constantly evolving and they require an ever evolving mind-set to cope with that evolution.
Gone are the days when legal counsel and data protection officers can be relied on to stand apart as the sole gatekeepers of information and how it is protected. A new breed of information technology and security professionals at the top tier of the organisation now have to be intimately familiar with the privacy and data landscape and the ramifications of new, global legislation and regulation. Even more of a challenge is the fact that the skills required to cope with the ever increasing speed of change are now widely recognised to be in short supply. Steve Durbin, Managing Director the Information Security Forum (ISF) states in an article published on cio.com2 that ‘CISOs need to build sustainable recruiting practices and develop and retain existing talent to improve their organisation’s cyber resilience’ and that would also include an in depth knowledge of issues pertaining to data privacy.
He also states that ‘the right sort of people can make the case for cyber security [which should also include issues relating to privacy] being linked to business challenges and business developments.’ The question is whether traditional information technology and security functions are up to this task and whether they should in fact remain as separate silos – or whether a new approach is required, for instance combining these roles.
It’s simply a fact that the challenges are not going to get any easier – and the increasing reliance of many companies on the competitive advantages of big data are beginning to make Kroger’s $100m look like pocket change. Unfortunately the amount of data that companies are collecting is a challenge in itself – there can simply be too much of a good thing. Companies that collect too much data in the hope that it might one day prove useful are in danger of losing that data that sits idle to a new breed of hacker that thrives on data that is not on the frontline of a company’s activity. Once again it is this shifting landscape that requires a new type of information technology and security professional – one that can take a more holistic view of the issues that surround security, operational imperatives and data privacy. The question is – are companies exhibiting the mind-set to meet these new challenges – and just what are some of the challenges that are now facing information technology and security professionals.
The huge amount of data now available to organisations has led many companies to adopt a ‘less is more approach’, keeping what they need and junking the data that is not relevant to their strategic requirements. This is good business practice, it costs time and money to keep, and protect data. It’s also in line with the EU Data Protection Act which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
However, even with this approach the thorny issue of the data that a company does use still remains challenging – ‘less is more’ doesn’t mean that there needs to be less compliance with the EU’s General Data Protection Regulation (GDPR) which will become effective on May 25, 2018 and will replace the Data Protection Directive 95/46/ec. In fact things are becoming more complex, rather than more transparent (an EU speciality it seems) and this is going to require a new breed of information technology and security professional – someone who will be able to cross the line between a Chief Security Officer and Chief Privacy Officer.
The new directive complicates the job of the information technology and security professional. It recommends a compartmentalisation of data, otherwise known as ‘pseudonymisation’. A fairly clumsy term that means ‘the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.’3
Article 32 of the directive is especially interesting. In terms of this Article controllers are required to implement risk-based measures for protecting data security. One such measure is the ‘pseudonymisation and encryption of personal data’ (Article 32(1)(a)). In terms of this Article gatekeepers are required to notify a data protection authority any time there is a security incident that presents ‘a risk to the rights and freedoms of natural persons’ (Article 33(1)). They should also notify the concerned individuals anytime that risk is “high” (Article 34(1)). Since pseudonymisation decreases the risk of harm to data subjects, companies that use it may be able to avoid notification of security incidents.
This is all very well, however compliance with the directives is problematic for those companies which do not have a forward thinking attitude towards data protection and privacy. Controllers (or companies) are now required to adopt codes of conduct that are approved by the EU Member States, the supervisory authorities, the European Data Protection Board or the Commission. These codes of conduct should promote the use of pseudonymisation as a way to comply with the Regulation (Article 40(2)(d)).
So once again the EU has placed the onus squarely on individual companies to comply with the latest recommendations and once again the need for a new breed of information technology and security professional who can bridge the gap between a information security officer and data protection officer might be required in order to keep the organisation on the correct strategic path, as well as complying with an increasingly complex regulatory environment.
That’s not all
As they say in late night infomercials ‘that’s not all’. The GDPR requires companies to put in place processes that ensure:
Pseudonymisation and encryption of personal data.
Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
These processes will provide a challenge to small and medium sized enterprises – and will be a considerable burden when it comes to retaining talent that will enable them to comply both timeously and within limited budgets. For these companies, the separate functions of a Chief Security Officer and a Chief Privacy Officer may just be a burden that would simply make already thin profit margins disappear completely.
If the company complies with all of these requirements what happens if a data breach does occur? The devil, as they say is in the detail. There’s a very interesting Article (33.1) regarding notification. This Article indicates that notice is not required if ‘the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.’ There’s a bit of wriggle room here. Data protection officers and legal teams could tie authorities up in knots when defending their decisions regarding notification.4
Information technology and security professionals need to up their game
It’s becoming increasingly clear that those companies that wish to comply with the GDPR are going to have to up their game. Relying on legal counsel and the traditional skillsets of information security officers is simply not going to protect them from the penalties that could conceivably be imposed post 2018. There may just be an urgent need for a new breed of information technology and security that takes on the role of a Chief Security and Privacy Officer – or is there an argument that these functions should be amalgamated – a proposition that smaller companies would find tremendously attractive. This is something we will be examining in part two of this article.