In the first blog of this series we reviewed perceptions and current states of preparation for the EU legislative changes and how they impact your cyber security strategies, drawing on information that was collected during the registration process for a webinar run for practitioners with ISACA.
News Flash: On May 4, 2016, the European Union (EU)’s General Data Protection Regulation (GDPR) was published in the Official Journal of the EU. The regulation will enter into force 20 days after its publication, on May 25, 2016. Its provisions will be directly applicable in all member states two years after this date, so companies will need to comply with the GDPR as of May 25, 2018.
The GDPR will replace the 1996 Data Protection Directive. The GDPR is a complex piece of legislation, with many different requirements, and coming into compliance with them all by the May 25, 2018 deadline will take extensive work for companies around the world that handle the personal data of EU residents.
In this second blog, we will examine three further questions that we asked live. You should note that many listen to such sessions in the post-recording, so the sample set in the live polls was 300+, but I would suggest this still gives us a very valuable sample of perceptions.
Obviously any new legislation being implemented is done with noble intent. In these instances, the way in which we use and depend on the Internet has evolved: there is a desire to drive confidence in society as our digital world grows. It was therefore good to see that 74 percent of respondents saw the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS Directive) as raising the bar for cybersecurity, compared to their current capabilities. Nine percent felt that existing security regulations in their industry were already higher, which I would suggest is most likely organizations in the financial services space. But what we should consider is that the bigger the gap between where organizations are today and the needed requirements, the more time and budget will be required to achieve compliance. As such, one of the first tasks for any organization should be to complete the gap analysis to validate the scope of work ahead and, importantly, to get the right executive sponsorship behind the project.
The second poll looked at just what the gap analysis was. Nearly half (44 percent) suggested they have significant work ahead. There are both positives and negatives here. There is an indication that analysis has been done, but only 14 percent suggested they had a managed project already underway. A concerning 36 percent suggested they had no idea of the effort required or were not planning to start focusing on becoming compliant until the legislation goes live.
This highlights some very differing perceptions on legislation across the EU and different industry groups. But with harmonization being a key driver for the EU, I would anticipate that, in years to come, the diversity of answers would reduce.
As a security leader, it is critical to ensure that the decision to achieve compliance should be made collaboratively, which means engaging the legal team, business leaders and the cybersecurity team to make an informed decision on what the right next steps are for the business to take. It’s easy to simply state that this is a “must”, but for each business there must be a review in terms of gap analysis, costs of compliance, ownership and investment strategy. For some, the timescales and investment required may already be too constrictive.
The final poll validated as much, with only 35 percent of respondents confident in their company’s ability to adhere to the 2018 deadline. Thirty-six percent already considered the timescales to be tight, and 14 percent suggested they didn’t expect to make the go-live date. Of note was the 15 percent that are still waiting on timelines to be finalized, to which I would suggest that these are now sufficiently well-defined. We should not be waiting to act, but for many legislation can be a complex quagmire. That is why organizations must engage with their legal teams and ensure they either get educated or remain informed about these legislations and how they impact cyber strategies.
Hopefully the insight from your peers gives you confidence that you are in line with others on your journey in adhering to the upcoming requirements. If you are not, may that insight help you gain the business support you need to validate the importance of catching up with your peers.
So what next? I would suggest you consider the following key steps in your action plan:
1. If you haven’t already, start preparing now!
2. Stay informed. Palo Alto Networks will continue to provide you with updates on what this means for you and your cyber strategies on our microsite:http://go.paloaltonetworks.com/regulation.
3. Assign executive ownership.
4. Complete a gap assessment: Can you qualify your risk today and do you have the relevant regard for ”State of the Art”?
– Work with your auditor/advisors to have a clearly defined risk assessment.
5. Ensure you have legal and privacy guidance (internal/eternal) to validate that you have the right understanding of the legislation for your business.
6. Define a plan to get adopt and maintain relevant regard for “State of the Art”.
7. Make a clear plan on how you will deal with incidents, as they will happen.
8. Ensure you have a made conscious decisions on how you balance your investments, between prevention and detection (“State of the Art”) and responsive capabilities.
[Palo Alto Networks Research Center]