The baby bull elephant in the room
- Article 29 of 33
- SC Magazine, July 2012
Page 1 | Page 2 | Page 3 | All 3 Pages
As a result, companies took on one-year contracts - the shortest time possible - for the services while they evaluated them and are now looking to replace their initial technology choices, finding the technology didn't serve their purposes or offered poor user experience: in some cases, there were delays on calls and delays of up to a minute in placing calls. Hammerton feels that now organisations are no longer under as great a pressure to be compliant since they have a solution and now he has the backing of partners like Fujitsu and Orange, organisations will be able to adopt his company's technology, which avoids time lags using replacement SIMs and equipment stored at network exchanges rather than software on phones. And then there's another piece of EU legislation: the EU First Company Law Amendment Directive. This requires companies to include their registered company name and registration number, place of registration and registered office address in every sent email, including those sent by mobile phones with email capabilities. Companies like The Email Laundry, which offers a solution for automatically adding such information to every email, are hoping to capitalise on this legislation, but with penalties of up to only £1,000 for non-compliance, it's likely to sit lower down in CSOs' priority lists than other tasks, assuming they've even heard of it: while many large public sector organisations will have extensive briefings and training from the government about compliance, and larger private sector organisations will have compliance departments or legal teams well briefed on the laws, Deloitte partner Peter Gooch says that many smaller companies, particularly in relatively unregulated industries like the media and in smaller companies such as tech start-ups, are about five to ten years behind regulated industries in their attitudes and knowledge of regulation. How much attention organisations pay to compliance is also influenced by the penalties for non-compliance. Si Kellow, CSO of Proact, says that because of the low maximum fines associated with compliance legislation, he - along with many other CSOs - ranks his compliance priorities with contractual obligations at the top of the list, followed by the chance of brand damage for lack of compliance, then fines and any other requirements after that. Logica's business consulting cyber security lead Cheryl Martin says that reputational damage may be even more important in sectors such as oil and gas where it can have a colossal effect on share price, whereas for other organisations, an inability to trade because an authority has removed authorisation - whether it be the PCI-DSS or the FSA - will be a concern. At the moment, fines will remain the lowest issue, except in the most heavily regulated industries, but Kellow says the huge potential size of fines under the new EU data protection legislation will change priorities.
Adrian Davis, an analyst at the Information Security of the ISF argues that as well as trying to stay up to date with compliance legislation - hopefully, with the help of either a compliance department or consultants - trying to get different pieces of compliance legislation to fit together coherently is one of the biggest problems CSOs face. A global organisation has to face the different attitudes of US and European legislators towards data privacy, for example. On top of that, regulators of different markets may impose requirements that don't tally with government legislation and even a country's own regulators can impose different rules to those imposed by the government elsewhere: "Some financial services records need to be kept for at least seven years, others for as long as 20-30 years. Yet the DPA requires records to be kept for a maximum of seven years unless you're doing something with them."
The best that a CSO can hope to do, according to Deloitte's Peter Gooch, is for the CSO to use good security practice such as ISO27001, educate staff as best as possible, implement some form of data loss prevention technology, be proactive and try to be compliant to at least one regime - but that's still no guarantee of safety.
Logica's Cheryl Martin concludes: "For some, it feels very lonely being a CSO. Most of their work is about compliance now and too often, IT security is taken into the boardroom and disregarded by members. The moment there is a breach, they'll be the one in the limelight, it'll be their operational structure that is questioned, when 99 per cent of the time it's an employee that caused the breach in the first place." Compliance may be an organisational problem, but ultimately, it's the CSO's problem and like that baby bull elephant, it's only getting bigger.
Case study: Proact
Si Kellow, CSO of cloud-provider Proact, has been working in IT and security in both public and private sectors for over 20 years, wishes he had the time to focus on compliance, but he doesn't. "Unfortunately, there are so many areas - not just privacy and data security, but also financial regulations and PCI, for example - that it's just far too big. If I could dedicate my time to looking at compliance, I could probably fill my week several times over."
Proact handles data for customers all over Europe - not just the EU but also for countries outside the union, such as some of the Balkan states. Although it doesn't operate in any particular vertical market, general compliance rules apply to it with regards to data protection, for example. However, despite data protection being an EU-wide requirement, Proact faces problems dealing with it in practice.
"Within the UK, there's the Data Protection Act 1998," says Kellow. "That is the enactment into UK law of the European directive on privacy. The problem is that each state has its own enactment of that." Proact now takes a 'highest common denominator' approach, looking to all the states in which it trades for the strictest data protection compliance requirements and abiding by those, while having local representatives in different countries to ensure any local 'wrinkles' in compliance are abided by."
However, getting to know what those data protection requirements were was "trial and error" according to Kellow. "I found out where we were doing business and asked in-house if there were any local requirements, whether anyone had an interest in the country and if they had any resource to assist me." Proact has now hired a former corporate lawyer and the company effectively has an in-house legal resource. "I ask him if he sees anything about data, privacy or compliance to flag it and I'll get the details."
Since becoming CSO of Proact in November, Kellow has endeavoured to make the company more systematic in its compliance efforts. "I said what we needed to do as a business was say 'This is the path we want to take, we need to map out the common denominators and we need to get the business compliant to a point.' We can now just compare any new compliance measures to the map, see we're already at a particular point and whether that's above or below the requirements, and then just start to deal with deltas. As a business that makes us far more agile."
Technology naturally comes into play with compliance issues. Proact uses encryption technology, for example, to ensure that all data coming into its systems is worthless if there is a breach and ensures that virtual machines can only be booted up on specific hardware. He also has data distribution systems since for compliance, process is more important to the company than technology. "One thing key to all compliance requirements is they all ultimately come down to the written word. It doesn't matter what technology you have unless all the staff have got the words, understood them, and are tested on a regular basis to make sure that their understanding is up to date. Unless you have the written word sorted out so you can map the technical controls onto it, the technical controls are meaningless."
Page 1 | Page 2 | Page 3 | All 3 Pages