A Data Protection Officer recently told me that her budget had shrunk in the run up to the GDPR deadline in May 2018. But, as we talked, we realised that her budget had reduced because other members of the C-Suite were now using those funds to address cybersecurity and data privacy risk issues in their individual areas with a range of external advisors.
This undoubtedly risked duplication of effort and an uncoordinated and more expensive approach. It also meant that senior leadership were not getting a coherent business wide report to show what the risks were and that they were understood, accurately measured and being mitigated against. Someone clearly needed to lead and be accountable, but who?
In the rush to respond to a growing cyber threat, organisations of all sizes are equipping themselves with the resources and expertise necessary to address privacy and cyber risks. No surprise given the financial stakes, with GDPR fines of up to 4 per cent of annual turnover or up to 20 million euros for a data breach; alongside the potential for substantial damages awards from supplier and data subject law suits.
The C-Suite – whether GC, CFO or CIO, all have roles to play alongside their preferred outside advisor. This engagement from senior leaders is welcome especially where they are able to commit time and resources.
Organisations must, however, also take a joined-up approach. A coordinated strategy with an accountable cyber security and data privacy leader in place will deliver greater resilience against attacks and data loss, and provide a much better response should an incident occur.
The Cyber/Privacy systems integrator approach
In theory, a single internal stakeholder, supported by a single external organisation with the requisite expertise, should lead and coordinate resources from legal, finance and IT to handle cybersecurity.
This coordinated approach should produce efficient resource utilisation, enable a flat cost structure and provide unified progress measurement and documentation of an organisation’s cyber security privacy efforts.
What is commonly called a ‘system integrator’, or someone who specialises in bringing together various subsystems or strands into a whole, would need to oversee everything. They would also need the relevant expertise for the role from a management and cybersecurity perspective.
A simple categorisation of the work required to build resilience and conduct a response, detailed below, could inform who is best placed to take this role.
- Baseline: Establish a baseline. What gaps exist between operational reality and a relevant cybersecurity or data protection standard?
- Remediate: Address the gaps identified in the baseline step above and consider proactive steps to renegotiate the risk allocation in key supplier and customer relationships.
- Maintain: Conduct patching, penetration testing and other security maintenance items. Refresh awareness programs with technology and training. Respond to newly identified threats. Conduct senior-level incident response scenario rehearsals.
Conduct a Response
- Conduct a legally privileged, evidence-based investigation into the cybersecurity incident to stop the intrusion, stop data loss and take next steps; Coordinate with a Security Operations Centre; Conduct forensic network analysis; respond to any external threats; Communicate with law enforcement authorities, regulators customers and stakeholders.
- Mitigate: Take actions to mitigate the risk to business operations; Conduct customer and investor communications;
- Defend: Conduct litigation to defend against regulatory fines and third party damage claims.
Ideally, the integrator will have a strong understanding of regulatory compliance – notably GDPR – and would be able to train staff, carry out risk assessments, and put in place incident response teams and breach mitigation procedures.
The appointment of an integrator does not mean that specialists within a business will stop their cybersecurity work. Instead, the integrator’s position creates a more effective division of labour to allow specialists to focus on their areas of expertise.
Whilst employing an integrator is beneficial for a wide range of businesses, small and medium sized business in particular would do well to adopt this approach. The integrator model allows these more resource-stretched businesses to successfully set-up and manage agreements with a multitude of parties and contractors, all the while maintaining effective cybersecurity infrastructure.
It also allows smaller companies to put in place strategic plans and to action these efficiently in breach scenarios, even if this requires sub-contracting certain tasks. This approach also has commercial benefits for SMEs: an integrated cyber strategy can simplify contracting and vendor management.
Three alternative approaches
Different stakeholders and budget-holders will generally take different views on how best to lead an accomplished cybersecurity and privacy project, with CIOs and CISOs usually preferring IT consultants, GCs choosing law firms and CFOs preferring large audit firms to manage cyber projects.
All of these options have their unique advantages. But, problems relating to information silos and coordination are likely to persist with all three unless there is an integrated approach.
An IT consultant is the path of choice for most CIOs and CISOs and clearly have a technical solutions focus. These organisations can deploy secure cloud services, design IT security infrastructure and provide reactive services to mitigate data breach damage. They can also conduct penetration testing to identify network vulnerabilities and then act to patch these.
A popular option for CFOs is to choose an accountancy audit firm to lead the cyber strategy. These organisations have the benefit of valuing data as a business asset as well as for compliance objectives – helping companies comply with regulation and mitigate risks, all the while assessing the business value of data and how best to use it.
The GC will likely turn to a law firm to lead cybersecurity, privacy governance and project management; provided the technical IT elements are addressed by other internal or external providers. This strategy address compliance, policy and process. It also enables the business to deal with any matters from a crisis perspective should that arise. Law firms can review and inform compliance policies and processes, carry out third-party risk assessments and, together with specialist IT firms, perform cybersecurity audits.
Legal privilege is perhaps one major consideration given the risk of fines and third party litigation. It needs to be kept in mind that although compliance is crucially important, it should be a complement to, rather than a substitute for, cybersecurity infrastructure.
Best in class solution
The system integrator approach provides the most uniform system to efficiently execute a cyber-security strategy and report on compliance progress for key stakeholders in the boardroom.
With cyberattacks on the rise and the threats they pose to organisations becoming more worrying than ever, it is vital that companies put in place a centrally-managed comprehensive cybersecurity strategy. These should be managed from the top with taking a holistic view. This will ensure that all aspects of security and privacy are considered and a strategy is put in place that encompasses everything from compliance and security to breach mitigation and response. This is the best way forward for an integrated and sophisticated cyber security and privacy strategy.
By Brian Craig, legal director at UK law firm TLT
TLT supports large corporates, public institutions and high growth businesses on their strategic and day-to-day legal needs. Able to advise across the three UK legal jurisdictions of England & Wales, Northern Ireland and Scotland, the firm has offices in Bristol, London, Manchester, Glasgow, Edinburgh and Belfast, as well as a specialist ship finance team in Piraeus, Greece.
With significant experience advising organisations in the clean energy; digital; financial services; leisure, food & drink; public sector; real estate; and retail & consumer goods sectors, the firm has a strong track record of consistent growth driven by client need. TLT has over 100 partners and employs around 1,000 people.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/