The recent personal data incident concerning Miljödata where personal data of more than 1.5 million data subjects was leaked as a result of a cyberattack made me want to reflect on something I’ve noticed in my career as a legal advisor; how organizations tend to put unproportionate attention to their GDPR compliance in relation to their information security strategy.
Don’t put all your focus on GDPR compliance
Ever since it was introduced, the General Data Protection Regulation (GDPR) has struck fear in both small and large companies with the potentially severe monetary and reputational consequences of a personal data incident and violations of the legislation. Since the GDPR was incorporated into Swedish legislation back in 2018 I have led at least four projects in different organizations and different industries, all with the aim of ensuring GDPR compliance. Although the focus on GDPR has subsided somewhat since 2018, data privacy and GDPR in particular still is and, rightly so, remains a source of nightmares and headaches for many DPOs, legal counsels and management teams.
What I see many organizations struggle to find proper management attention to however is the company information security (”InfoSec”) strategy, something that is arguably just as, if not more, important than being able to “tick all the boxes” when it comes to GDPR compliance. A solid InfoSec strategy is the very foundation and key measure for mitigating the risk of personal data incidents and breaches of the GDPR, it is not the fact that your Registry of Processing is meticulously and always 100% up to date. Now, don’t get me wrong, GDPR compliance is a legal requirement and naturally a key priority for all organizations, however my point is that we shouldn’t forget about the several other links in the chain of events leading up to, or preventing, a personal data incident. As a corporate counsel faced with a plethora of tasks, all of them equally important to the organization, it is easy to focus on GDPR compliance as a tangible task that can be ”closed” and allow you to quickly move on to the next task at hand. However, I argue that what separates a truly great corporate counsel from an average one, is the ability to focus not only on the problems at hand but to also identify and address the root causes of problems before they materialize.
Developing a GREAT Information Security strategy
In my career as a manager, I’ve been charged with overseeing the information strategy function and ultimately responsible for ensuring information security in multinational corporations. This has provided me with insights into what I believe are the five key aspects of a strong InfoSec strategy. I call it GREAT.
Goals
In my career as a manager, I’ve been charged with overseeing the information strategy function and ultimately responsible for ensuring information security in multinational corporations. This has provided me with insights into what I believe are the five key aspects of a strong information security strategy. I call it GREAT.
Setting goals is a cornerstone of all strategies and information security is no different. On a high level, the commonly referred to goals of a strong InfoSec strategy are Confidentiality (preventing unauthorized access), Integrity (ensuring data is accurate and unaltered), and Availability (guaranteeing timely access to data), also known as the CIA triad. While the CIA triad is arguably always relevant in any InfoSec strategy and the ambition level should be very high with respect to these high-level goals, I would advise breaking down your goals on a level that makes sense for your organization and that is measurable. Take the common KPI of system uptime as an example. The uptime goal should be high, but make sure it is realistic. 100% is almost never a realistic goal in this respect, 99.8% might very well be. Also keep in mind that your InfoSec goals must make sense in light of your commercial operations. A KPI such as uptime is for example a very common requirement (often under penalty) in service level agreements and you need to make sure your goals align with your commercial strategy.
Resources
An effective InfoSec strategy requires resources. I’ve seen too many times that InfoSec operations are left with too few resources to drive an effective strategy. Obviously, the resource need is a factor of the size of the organization and the complexity of your Information Security Management System (ISMS), however dedicated resources are a critical component of an effective InfoSec strategy.
Experience
Resources are nothing without experience! Or put differently, a lack of resources can to some extent be counterbalanced by experience. I’ve been fortunate to manage some highly experienced InfoSec professionals and have seen firsthand how one or a few highly experienced professionals can replace several less qualified FTEs. The takeaway here is; if your organization is stretched for hiring resources within InfoSec, go for quality, it will most likely pay off in the end.
Attention
Any InfoSec strategy is left dead in the water unless it has the proper attention of senior management and owners. This is especially true if the ambition level is to go for an ISO certification, where top level management support is actually one of the requirements! The first thing anyone tasked with developing an InfoSec strategy should do is to ensure 100% top-level buy-in and support. Trust me, there is no other way!
Tools
Tools is an obvious one. For every project, whether it is renovating your Jeep 4.0 inline six engine or implementing a strong InfoSec strategy, you need the right tools for the job. This is where experience comes in again. An experience InfoSec Engineer will know what tools you organization requires to monitor your network security, carrying out penetrating testing, creating a strong firewall, encrypting your data in traffic and in rest and the list goes on.
The Role of ISO
I mentioned ISO certification above. In my previous career I have been involved in InfoSec operations of an ISO 27001 certified business, both as the responsible manager and, more hands-on, as an internal ISO auditor. In current assignments I’m helping clients to become ISO 27001 certified. Based on my experience, seeking an ISO 27001 certification is a good way of ensuring your InfoSec strategy is robust, GREAT, if you will. Even though the primary focus and benefit of being ISO certified is that of a strong InfoSec strategy and a significantly reduced risk of security or data incidents, the commercial perspective is not to be forgotten. I’ve seen firsthand how being ISO certified can open commercial opportunities that would otherwise be very difficult, if not impossible to reach. In today’s commercial environment, your business will most likely be subject to detailed due diligence prior to entering into commercial collaborations. This is especially true if your product is for example a licensed technology that will process or otherwise handle client data. An ISO certification means your client can be safe that your ISMS meet the high standards of an ISO 27001 certification and the risk that you have to turn down business with said client due to insufficient InfoSec capabilities, or arguably even worse, the risk that you are faced with contractually warranting InfoSec capabilities that you are unsure that your organization can live up to, is greatly reduced.
Tips if you want to seek an ISO certification
If you are a legal professional or otherwise responsible for InfoSec in your organization and want to seek an ISO certification, here are a few of my tips:
- As mentioned above, make sure you have the full and unconditional backing of your top management and owners as applicable.
- Make sure you set the scope of your ISO certification correctly and in a way that fits your ambitions and commercial objectives. ISO allows you to decide the scope of your certification from a legal entity to an entire company group or even to a single technical system or platform. The scope dictates the ambition level as well as resources need to run the project and maintain your certification. Make sure you make an active and well thought out decision.
- Involve experienced advisors from start. If you have people with ISO competence internally or have the possibility to recruit, good for you, if not then there are a ton of good external advisors out there that can help. If you do go the external route, I suggest you at least try to find someone internally or externally that can help you to ask the right questions, that way you can save both time and money.
To conclude, a GDPR incident might be just the tip of an iceberg, that iceberg being a flawed or insufficient InfoSec strategy. While GDPR compliance is often getting most of the internal attention from top management and owners, I would argue that InfoSec is where every organization need to start and invest both time and money. This is especially true in today’s day and age where cyberattacks are becoming ever more common and where new technology including AI continually increases the level of sophistication in attacks.
My sincere thanks goes out to Bartosz Drozd, an amazing InfoSec professional, for teaching me everything I know about InfoSec and ISO.