For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they are a long time in coming, since early discussions started back in 2013. Yet as is often the case with such processes, it becomes all too easy to keep holding off from preparing, especially when details are still to be finalized. From current speculation, it seems that both will be documented in the Official Journal of the EU shortly, which – for those who haven’t already started preparing – should be the final call to action, and implementation will officially start.
The question for many now becomes: Are they at the right place on the journey? Human nature drives us to want to compare ourselves with our neighbors to ensure we are doing the right things, and where there are time deadlines, that we are on track to achieve them.
From a recent webinar run with the industry group ISACA, I took the chance to poll the attendees to gather more insight on organizations’ state of preparation in terms of their cyber security strategies.
With any legislative requirements, the first objective is to be clear on what needs to be done. In this instance both pieces of legislation use the term “State of the Art”, which aligns to the requirement to have security by design and default. Specifically with the GDPR, that requires regard for this to be relevant to the risk.
In the last 12 months, exactly what “State of the Art” means has seemed to be one of the most common questions, as many security practitioners and leaders are typically more confident with granular requirements. But in polling the 1400+ people who registered for the recent webinar, it was found that 64 percent of those who responded now claimed to know what “State of the Art” is. Unlike some other industry regulatory requirements, GDPR and the NIS Directive will likely remain in force for a while. As such, it would be virtually impossible to define detailed requirements; the term is more a placeholder requiring organizations to ensure they keep educated on cutting-edge cybersecurity capabilities and processes.
I have found myself having numerous discussions with other industry experts around how we would be sure that each of our interpretations of “State of the Art” would stand up to an auditor or another company. As such, my guidance would be that whilst we often look at the technical aspects of legislation, it’s important to engage with the business and legal teams in your company to ensure there is consensus on your interpretation of the requirement. Whether we like it or not, we should be prepared to qualify our adherence, be that to an auditor or to an authority, when responding to an incident.
Although it’s great to see that many are comfortable with the concept, there are others who are still getting their heads around the additional responsibility. I suspect more broadly that while the first goal will be to validate and achieve the relevant regard for “State of the Art”, very quickly cyber security leaders will also need to qualify just how long the current interpretation remains the case, as (it’s not a one-off goal, but an iterative requirement). As such, processes that continue to validate and subsequently apply ”State of the Art” must become part of the normal cyber strategy.
The challenge for many is that while we look to prepare for these legislative changes, we still have a day job. Therefore the question becomes: Where does it sit in the priority stack? Here the poll showed that there was a split in views. Thirty-six percent had this in their top 10, and an additional 21percent had it in their top three. Yet 20 percent were only planning to look at these legislative requirements in 2017, and a further 16 percent were planning to wait until the requirements come into effect in 2018. It would be interesting to see the industry breakdowns here, as I could speculate that those that are already more heavily regulated may be more proactive, as they are used to the process. But from my own experiences, I also have seen regional perceptions of legislation enforcements, especially when the historical variance in enforcement of data protection requirements could be a factor. The goal of harmonization, which was one of the key drivers of GDPR reform, aims to ensure we all abide by the same rules and enforcement guidelines.
My personal guidance here would be that if you haven’t already started to prepare, you should do so now. It takes time to validate the gap analysis (again for those that are already heavily regulated, this may be much smaller than those that are not today), but agreeing on a budget, validating solutions and deploying and testing capabilities all take time.
At an executive level, the natural first question when discussing the proposed new legislation is: What impact does that have on our business? Here the replies to the poll were very broad. Many were still unclear, while others focused on either the brand damage concerns that would likely come from public disclosure of an incident, or concerns around the new penalties for data breaches that have been defined in the GDPR. The very broad scope of responses, I would suggest, should be our biggest concern. If the impact to businesses cannot be clearly defined, how can they be expected to support their cybersecurity teams in investing time and resources to achieve compliance? As such, while it seems confidence is growing when it comes to some of the terminology, such as “State of the Art”, there is still a need to be clearer on the impact of these new regulations. For me this highlights why many are still holding off in terms of making it a priority for 2016.
[Palo Alto Networks Research Center]