Yes, you did read the headline right. It is the conclusion of a United Kingdom’s Government review (Cyber security regulation and incentives review) published right at the end of 2016. Here, the UK Government concludes that the EU General Data Protection Regulation (GDPR), with its reporting requirements and financial penalties represents a significant call to action, so no further regulation is required at this time.
This decision is to be applauded for four reasons.
First, many UK-based organisations are also having to prepare for the European Union Network Information Security (NIS) Directive. Both NIS and GDPR are placing significant resource and financial burdens on organisations as they review and enhance their processes, security controls (managerial, technical and procedural) and approaches to data collection and storage.
Second, the review’s authors recognise that regulation encourages a ‘tick-box mentality’ or ‘compliance culture’, in that organisations will do what is stated in the regulation and go no further. Adopting this sort of culture runs against the risk-based approach that many cybersecurity professionals both favour and use on a day-to-day basis; it also reduces the scope for the pro-active approach that we are all trying to develop and instil in our organisation’s security programmes to deal with the dynamic and ever changing cyber risk landscape.
Third, regulation of any kind adds to the cost of doing business – and many sectors of the economy face an ever-increasing tide of regulation. The review stated that mandating specific controls would not work as they would become out of date very quickly, which is another welcome statement.
Finally, it makes clear that organisations should manage their own risk in respect of sensitive data and online presence and that as each organisation’s IT is unique, individual companies are best placed to determine the controls appropriate for their organisation.
So what does it mean for cybersecurity professionals?
For those of us in the UK, it allows us to concentrate on meeting the requirements of GDPR (and where relevant, the NIS Directive). We should highlight the results of this review – and the emphasis placed on GDPR – to our Boards, our CIOs and legal functions to help further their support for GDPR projects and to help them plan their compliance programmes.
For those outside of the UK, it’s worth sharing this document with your regulators, government representatives and CERTs to show how the decision was reached and the reasoning behind that decision. For any multinational, it sends a clear signal that compliance to GDPR is a prerequisite for doing business in the UK and provides a solid basis to demonstrate cyber security.
Finally, the review is the strongest signal to us as cybersecurity professionals that we are being trusted to get on with the job and deliver. We have a window of opportunity to show that we can deliver effective cyber security risk management and compliance with GDPR. It’s worth noting, however, that the UK Government has reserved the right to re-examine whether further regulation is required in the future. A massive breach, or failure to embrace the requirements of GDPR across UK industry, could be two scenarios that trigger another review and new regulation.
The (ISC)2 EMEA Advisory Council has established a GDPR task force of certified members actively involved in implementing GDPR. The aim is to track, curate and share front-line experience with the regulation. Members interested in contributing to the effort are encouraged to contact EAC co-chair firstname.lastname@example.org, or Adrian Davis (email@example.com).