There isn’t a single chief information security officer (CISO), head of compliance or chief privacy officer who enjoys rejecting a new service that could increase the pace of a business’ innovation. However, the reality is that many CISOs are forced to tell the business it needs to rethink ideas because of privacy, compliance, and security concerns and risks, especially in light of the upcoming European Union (EU) General Data Protection Regulation (GDPR).
Preparing for the GDPR
Businesses must walk a fine line when preparing for the GDPR; gathering and analyzing massive amounts of customer and prospect data can uncover new opportunities and business models, yet data must be kept private and secure from both regulatory and reputational standpoints. The latest round of regulations, including the EU’s GDPR, comes with teeth in the form of stiff financial penalties for those that fail to comply. Companies that fail to adequately prepare for the GDPR risk incurring fines of up to 4 percent of their annual revenue.
As a result, organizations around the world are scrambling to address the new rules before the GDPR goes into effect in May 2018. Any company that stores personal information regarding EU residents will be subject to the new compliance rules, even if the business has no other presence in the EU.
Read the Interactive Solution Brief: Ready, Set, GDPR
Decentralized Data
Complying with regulations such as the GDPR are just part of the challenge facing CISOs and security teams. There was a time when organizations could centralize data so that control and governance were relatively straightforward. Techniques such as role-based access control and data masking were good enough to ensure that customers stayed secure.
In recent years, however, data has been increasingly distributed across hybrid environments. Data is stored in data centers, managed service environments and public clouds. Disconnected silos of data are often stored in inexpensive cloud storage, which is more difficult to control than the traditional, tightly controlled data repositories they replaced. Companies are storing more and more data at a lower cost in the hopes of harvesting useful insights.
Unauthorized IT Casts a Shadow
Further complicating matters, many new business services are being created, used and managed outside the purview of the IT organization. SaaS applications, for example, may contain customer information, while home-grown cloud applications may house important intellectual property, customer data or product information. It’s likely that the compliance office, privacy office and CIO didn’t sign off on each of these services.
This shadow IT is causing major problems for companies preparing for the GDPR and attempting to comply with all its rules. Although shadow IT helps employees work more efficiently, it makes it nearly impossible for companies to know who has access to their data or where the data is located, and the issue is growing at an alarming rate. It’s extremely difficult to prove compliance to strict data governance regulations when employees use a mix of corporate and personal IT services and devices.
Speed at the Expense of Privacy
Storing massive amounts of sensitive data in the cloud and hybrid environments has added to data complexity. Many businesses are opening their data to employees throughout the company so that they can use that data in innovative ways.
With business leaders demanding fast results, many companies fail to maintain high levels of data privacy and governance. As data is spread across organizations, it becomes increasingly challenging to maintain the robust data stewardship and protection required by the GDPR. Additionally, data security has become a serious concern as wider groups of users access customer data and intellectual property.
Many companies are inadvertently laying the groundwork for a breach because employees require fast and easy access to data, and new services must be created rapidly, which requires extreme agility. This speed of innovation also creates a gap between a company’s privacy office and how data is being used: The compliance and privacy offices may have strong written policies and procedures, but the compliance officers may not understand what the business is doing with data. This divergence between the requirements and demands of the privacy office and the actions taken by business analysts poses enormous compliance and security risks.
Solidifying Silos
An interesting change is happening with data management: Corporate managers are increasingly inclined to leverage important data across departments to create new product offerings. It is imperative, therefore, to break down silos of data across business units.
However, this is not without risks. Within an individual department, an administrator can keep close tabs on who is accessing data and for what purpose. It is relatively easy to establish a chain of custody for data when administering a single environment. As companies end silos and spread data across the business, however, it becomes more difficult to keep track of data from a privacy, governance and security perspective.
For example, a health care company might create an application that brings together patient data with fitness tracking information and third-party data sources. While the new application provides incredible analytics value, it also exposes risks based on compliance regulations such as HIPAA. Unfortunately, adding flexibility to the business can render the data vulnerable.
It is clear that to remain competitive and offer new services, businesses must bring together and analyze massive amounts of data. The CISO must be able to support business needs while keeping this data secure. He or she should partner with business leaders to analyze the data in a way that protects privacy and complies with regulations.
Regulations and security threats are constantly evolving. As security and compliance teams work to ready their organizations for the GDPR, they must keep an eye on the future, anticipating new requirements that may impact the business.
Best Practices for Ensuring Data Privacy and Security
How can you balance the need for access to the right data while maintaining compliance with a changing regulatory and security landscape? While there isn’t one right answer, there are some best practices that can help turn the security officer into a business partner. Here are the top three:
1. Work Together
Privacy, security and project management offices must work together as a team. Many companies that proactively manage data privacy and security challenges embed privacy and security personnel within business units. Security by design should become a common strategy; this will help organizations build security and privacy provisions into projects from an early onset.
2. Assess Impact
Perform privacy and security impact assessments as part of a project’s approval process. As a project moves forward, there should be continual checkpoints to ensure that compliance, security and protection requirements are met. A project should not move forward with funding until it has been reviewed and the risk levels defined. Continuous assessments allow teams to identify and address issues in early stages of the project.
3. Identify the Data
Identify the data that will be used for a new project. Understanding the sensitivity of data being used will make it easier for companies to meet the requirements of regulations like the GDPR, and it will reduce the risk of a breach. Give business leaders and executives oversight of data based on the sensitivity and risks associated with the information. These executives should sign off on a project only once they agree that the risks of exposure are worth the benefits.
These best practices should be the foundation of an organization’s security and governance policy as it prepares for the GDPR. This foundation will help protect the business from costly fines and will help prevent future security breaches.
Combining both organizational change with technical solutions can help organizations overcome the risks posed by removing data silos, giving employees access to more data and exploring new, data-centric business models. A well-planned strategy can enable an organization to innovate safely and securely.
Read the Interactive Solution Brief: Ready, Set, GDPR
Principal Analyst & Vice President, Hurwitz & Associates