25 May 2018

What CISOs Need to Know About GDPR


GDPR European Union
It’s a big day for data protection and privacy. We’ve been talking about and anticipating GDPR (the European General Data Protection Regulation) for over a year now, and it finally goes into effect today. All the talk about the preparations and the ramifications of GDPR (ie: “Am I ready?”, “How should we prepare?”, “What are the consequences of breach?”) are no longer just speculation about something future and obscure. GDPR is here and now it’s really time to act.

GDPR is focused on protecting the privacy of consumer data, which means that as a CISO, you need to consider the important security issues this raises. Your organization needs to ensure the ongoing confidentiality of all European consumer data that you hold and/or process. Article 32 of the GDPR specifically requires businesses to “ensure a level of security appropriate to the risk” of data being stolen. As a general rule, it states that businesses should use pseudonymization and encryption to secure personal data. And further, organizations should have processes in place to restore access to personal data quickly (in the case it is lost) as well as processes for regularly testing the effectiveness of security systems.

Security Testing and GDPR

The GDPR is different than most other security compliance regulations, because it focuses on the outcome, not the process. The GDPR does not specify exactly what processes businesses must use to keep their customers’ data secure. So as CISO of your company, it is your responsibility to ensure that your customers’ data is kept secure using whatever methods you deem appropriate for your business, whether that’s automated scanning, penetration testing, bug bounties, security auditing, crowdsourced penetration testing, or a combination of some, or them all.

Conducting a test, or multiple tests even, can’t guarantee that you won’t experience a data breach, nor can it guarantee that your company is GDPR compliant. The regulations do not provide perfectly clear guidelines on how you can protect your data. After GDPR goes into effect, we expect standards and case examples to slowly appear. However, security testing is used as a proof of appropriate attention in other regulations, such as PCI and the New York State cybersecurity laws. It follows that GDPR regulators will look favorably on security testing conducted by outsiders.

Protect Data with Crowdsourced Penetration Testing

While scanners and penetration testing can help you test for and defend against standard and common attacks, often the scanners/testers can’t or aren’t incentivized to find any security flaws past what they see on their checklist. Which means that you as an organization aren’t that much more protected from a cyber attack than you were before the test. Think about all of the unknown vulnerabilities still lurking in your systems, serving as a warm and friendly invitation to those criminal actors looking to steal customer data.

What if you brought in really talented humans and incentivized them to find those hidden vulnerabilities? Crowdsourced testing solutions utilize trusted, ethical hackers who use the same methods that criminal hackers do in order to help you secure your networks before criminals can get to them. When you utilize an incentivized human crowdsourced approach to testing, you will get a better sense of how resistant your systems (and your data) are to attack.

After you utilize crowdsourced penetration testers to uncover vulnerabilities, you can also utilize them to help you patch those vulnerabilities before a malicious actor can extract anything valuable from them. Utilizing crowdsourced penetration testing to find and fix vulnerabilities will help you protect your customers’ personal data and avoid fines resulting from non-compliance of the GDPR regulation. (What are those fines? In case of a large-scale data breach, the organization could be fined up to €20M or 4% of global annual turnover, whichever is greater. For more minor breaches, organizations could be fined €10M or 2% of global turnover.)

At the very least, it is certainly a proof of your attention to your security practices, which seems to be the main point of the GDPR: Prove that you are doing your due diligence in mitigating security risks.

Benefits of GDPR Compliance

The most obvious benefit of GDPR compliance is avoiding financial and legal penalties for falling short of the regulation. Being fully prepared for GDPR can also provide other benefits for your organization, like avoiding the hassle and expense of dealing with a data breach, brand damage, and customer distrust. Article 32 of the GDPR urges businesses to put secure processes in place to protect themselves and their customers. GDPR is here— it’s time to protect your business, your data and your customers!!