GDPR compliance is a multidimensional challenge for nearly every enterprise. From a legal standpoint, it’s about having the right precautions in place to mitigate risk. Companies that are 94 percent compliant will have a contingency plan in case they’re investigated by the Information Commissioner’s Office (ICO). From a technology standpoint, the road to compliance is much longer. Legacy systems and data in hundreds of different places can make consent management feel like an insurmountable task.
What doesn’t often make headlines are the organisational changes required to make GDPR a reality. One of the most important steps is to build a culture of security. Without it, CISOs struggle to obtain budget and buy-in for initiatives that protect the business, and potentially ward off catastrophes like the massive data leak in Germany and Google’s £44 million fine.
Achieving GDPR compliance is hard, but not hopeless, and a culture of security can help. From the boardroom to the mailroom, here are practical steps companies can take to cultivate security awareness at all levels of the organisation.
Elevate Your Chief Information Security Officer (CISO)
Formerly, the CISO (Chief Information Security Officer) served in a smaller role on the outskirts of the C-Suite – an advisor that didn’t have a seat at the table. But over the past few years, in a digital age where devastating breaches occur too often, the role of the CISO has risen dramatically in stature and regard as an integral part of any organisation.
Companies working to achieve GDPR compliance through a culture of security must elevate the CISO to their rightful place. This means three things in practice. First, other executives must actively combat the perception that security is a necessary evil, both among themselves and their direct reports. Second, the CISO must educate the organisation that basic compliance often doesn’t equal actual security. Finally, the CISO must have a voice in the boardroom, to advocate for security as a long-term strategy and ensure the responsibility for these initiatives does not become siloed within the IT department.
Make Security a Grassroots Effort
The CISO has the responsibility to constantly educate and bring awareness to security issues that can impact the greater good of the company. In the age of cybercrime, securing the business is everyone’s business. But getting employees to understand and buy in to security practices is a challenge – especially if security isn’t part of their day job.
One powerful solution is to approach security from the ground up. Rather than handing employees a list of requirements and policies from up high, companies should help their people understand how poor security habits could impact their job, their career, their co-workers, and the business as a whole. Host training sessions and create a designated messaging channel for identifying suspicious activity. Make the whole company feel like an elite security taskforce, responsible for protecting the business. By approaching it from the bottom up and the top down, there is a much better chance of perpetuating a security-minded culture.
Learn to Quantify Information Security Risk
Over the last 22 years, I’ve learned to explain security in a way that is impactful to many different audiences. While each approach is slightly different, security in the context of risk and trust will be understandable to anyone listening. For marketing and branding people, it’s brand value. For finance and operations, it’s the cost of lost or exposed data, and the resources necessary for remediation. The key is to apply information security risk to the different disciplines, and ask questions that make the executive you’re talking to not only understand the issues, but spring into action.
By tailoring the message to different audiences, CISOs can align the rest of the organisation around their strategy, and promote cross-departmental collaboration to accomplish security objectives.
Promote Diversity and Opportunity in Cybersecurity
Technical skills are only good when you have a legitimate place to apply them. Despite the talent shortage in cybersecurity, widespread economic equality has led many skilled individuals to become hackers. While some issues, like the rise in cyber warfare, can only be addressed through international cooperation, companies have a role in increasing the number of legitimate jobs for technology workers.
In particular, companies need to do a better job recruiting diverse minds. Show up at local career fairs and events that cater to women and minorities. Make sure your job postings aren’t biased. Hire a compassionate HR business partner to support and promote diversity in the workplace. Data security and privacy impact everyone, and the more minds we have working on solving these issues, the better.
As we near the one-year anniversary of GDPR, it’s time for companies to take a hard look at their security culture. Do employees understand their role in securing the business? Is your CISO in a prominent position and able to quantify information security risk? Are you creating opportunity for all types of people? For those who answer yes, GDPR compliance becomes just a little bit easier.
By Joan Pepin, CISO and VP of Operations at Auth0
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.