Data Protection Leadership Forum — Breaking Down the Challenges
Author: Jim Barkdoll
At the end of January, I had the privilege of hosting TITUS’ first Data Protection Leadership Forum, which welcomed more than 20 executive-level security professionals from a variety of backgrounds to discuss the data protection challenges they’re facing. As I listened to these folks passionately speak to the issues they encounter on a day-to-day basis, it was clear their struggles centered around two areas: ensuring that data is adequately protected as it flows to third-party vendors or contractors and navigating internal politics to ensure compliance in the face of a steadily increasing number of compliance regulations, including the General Data Protection Regulation (GDPR).
Bar none, every security professional at the forum agreed the biggest challenge was around how to ensure that company and customer data is protected throughout dealings with third-party vendors or contractors. And with good reason — as you may recall, one of the contributing factors to the infamous Target data breach in 2013 was that a hacker gained access to Target’s data via a third-party vendor (in that case, a small HVAC company). It’s frustrating for security teams to know that though they feel confident in their own data protection initiatives, it may all be for naught if their vendors and partners don’t apply the same vigor to their security practices.
There are a number of potential solutions to this issue, however, they all face a significant obstacle: consensus. While many organizations ask vendors to complete a basic checklist on their security initiatives, others want more stringent initiatives. What is unclear is whether vendors or partners would be open to participating in a more rigorous initiative, which could be time-intensive. Initiatives such as Cyber Essentials are a great start, but it’s clear there’s an appetite to do more in this area.
Another challenge is how to determine accountability for data as it flows through partners and vendors systems. Is your organization still responsible for this data once it moves outside your walls? In the face of a breach, who is ultimately accountable? These are questions that keep CISOs up at night.
Internal politics — a game of hot potato
The landscape around IT operations, security and data management continues to become more convoluted, which means decision-making in this area is fraught with politics. If the CIO directs data management strategies, does that also encompass data protection? What about compliance initiatives?
Feedback from security professionals attending our forum showed that responsibility varies wildly from organization to organization. Our own interactions with customers certainly validate that view. In some circumstances, the CIO has an existing relationship with a big vendor whose solutions encompass everything from data management to security, so the CIO drives for ownership of the data protection and/or compliance strategies. For other companies, the CISO owns everything related to GDPR, from implementing technologies to reporting.
Why all this confusion? The reason is simple — it’s a byproduct of the larger confusion around what GDPR compliance looks like and what it actually means to be compliant. For instance, I think it’s safe to say that when GDPR was enacted in May 2018, consumers believed this legislation would take dead aim at assessing consequences to corporations that left their sensitive data vulnerable to a breach, be that from a hacker or other bad actor or from mishandling. Yet the first truly significant fine levied by the GDPR was to Google on what could be rightly termed a violation more to do with the handling of information as opposed to its overall safety.
Moreover, in speaking with customers and analysts in Europe, it appears that this confusion has led to companies overreporting potential GDPR violations in the hopes of escaping hefty fines. After all, as a colleague once noted, it’s hard to yell at someone who is apologizing to you.
The last piece contributing to this confusion is the misguided nature in which many companies view compliance efforts. While the intent of these regulations is to encourage good data stewardship, many organizations strive to do just enough to avoid a fine. True compliance requires a fundamental shift in how organizations view their data protection responsibilities, moving from a “let’s do just enough” mentality to a “how do we know data is secure wherever it lies” approach.
The challenges raised as part of our Data Protection Leadership Forum aren’t new, yet there are still no easy answers. Security professionals continue to be challenged to do more with fewer resources in the face of the ongoing explosion of data and increased sophistication of security attacks and threats.
TITUS works with customers on solving these issues every day, and even though there aren’t any clearcut solutions, we actively partner with customers to help them implement data protection strategies that work for their unique situation.
If these topics resonate with you and you don’t know where to start, reach out to us. We’ll work to find a path forward that works for you.