Settling in with GDPR.
Dave Bittner: [00:00:04] Hi, everybody, and welcome to CyberWire-X, a series of specials designed to highlight important security topics affecting organizations around the world. This is part two of a four-part series called "Ground Truth or Consequences: The Challenges and Opportunities of Regulation in Cyberspace." Today we take a look at how GDPR has affected organization since it went into effect earlier this year. Is it having the desired effect? Are things proceeding as expected? And have there been unintended consequences? And what's the best strategy for compliance in a rapidly evolving global regulatory environment?
Dave Bittner: [00:00:41] A program note - each CyberWire-X special features two segments. In the first part of the show, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our show's sponsor for their point of view. And speaking of sponsors, a word from our sponsor, Gemalto.
Dave Bittner: [00:01:02] Your enterprise is rich with sensitive data at rest and in motion throughout the network. But what happens if that sensitive data isn't secure or if it's improperly accessed? We're guessing that regardless of what defenses you have currently implemented, the thought of your data being stolen or manipulated keeps you up at night. Gemalto tackles the two main causes of cyberattacks - identity theft and data breaches. They do this by providing next-generation digital security built from two technologies - secure digital identification and data encryption. Gemalto already operates these solutions for many well-known businesses and governments, protecting trillions of data exchanges. And as independent security experts, they guarantee digital privacy and compliance with data-protection regulations. Gemalto puts you back in control of your own data. Visit Gemalto today to learn more about their access management and data-protection solutions. You can also check out the most recent findings from the Breach Level Index, which tracks the volume and sources of stolen data records. Go to gemalto.com/cyberwire to subscribe and learn more. That's gemalto.com/cyberwire. And we thank Gemalto for sponsoring our show.
Steve Durbin: [00:02:29] I do think that we've seen some perhaps byproduct benefit in terms of this global consistency that we're starting to see come about.
Dave Bittner: [00:02:37] That's Steve Durbin. He's managing director of ISF, the Information Security Forum. They're a global authority on cyber, information security and risk management.
Steve Durbin: [00:02:48] I'm not going to say that it's the best piece of legislation that could have been created. But I think it's not bad. I think that it has caused organizations to react in a way that some of us would have liked them to react without the regulation being there. But if this is what it's taken to bring about a heightened degree of cyber awareness and security awareness, I think that's a good thing. If it's brought about a little bit more preparedness for organizations and how they respond to breaches and keep people informed and protect personal data, I think that's a good thing, too.
Caleb Barlow: [00:03:21] I think one of the things we look at when we think about GDPR is that, obviously, the focus here is on protecting privacy, particularly of consumers.
Dave Bittner: [00:03:29] That's Caleb Barlow. He's the VP of threat intelligence for IBM.
Caleb Barlow: [00:03:33] It comes with a pretty stiff penalty. So, you know, for example, if a company doesn't disclose to European regulators within 72 hours, some of those penalties can be quite severe. And not only do those get people's attention, but they also drive some rather interesting, unforeseen consequences.
Emily Mossburg: [00:03:53] We're still seeing this - what is this truly going to mean? How heavy are the fines?
Dave Bittner: [00:04:00] That's Emily Mossburg. She's a principal with Deloitte Risk and Financial Advisory. She leads the advise and implement practice within their Cyber Risk Services.
Emily Mossburg: [00:04:10] I still think that we're a bit in the wait-and-see period. I mean, the first actual enforcement happened at the end of September. Now we're - you know, we're just now in November. I think that there's still some wait-and-see attitude.
Caleb Barlow: [00:04:27] I think one of the challenges that every company is facing is that if you've just found out about a breach, you don't typically know a whole lot within that first 72 hours. And if you think of all the emotion that's going on at that time, you're trying to figure out, are the bad guys still on the system? Have we contained this? How much is affected? And you may - you know, there's a very good chance you may not know.
Caleb Barlow: [00:04:53] You may know that you've got a problem. But you may not know if data is actually leaked out yet. So, you know, you've got this challenge of, do I disclose? Do I not disclose? - because obviously, the last thing a company wants to do is disclose, risk that becoming public and then find out later that actually, there really wasn't a problem. It was a little bit more of a false alarm. And these types of things can happen often.
Steve Durbin: [00:05:19] Anybody who's been involved in a breach of any sort knows that, you know, in those first sort of early days, you really are struggling to try to understand how you can stop the bleed, how you can get it back together. And then you start to move on to trying to figure out through forensics as to exactly what the problem has been and how it came about and so on.
Steve Durbin: [00:05:41] So I think there was always some skepticism around whether or not the time scale for reporting was right. My own view on that is that it didn't matter what timescale you came up with. You were never going to get it right, so you were never going to please everybody. And I think we can argue whether 72 hours is the right amount or not. But that's what it is.
Caleb Barlow: [00:06:03] So first of all, we have to remember that we haven't seen a whole lot of litigation or fines yet come out of GDPR. Obviously, that will happen over time. So I think if you think about where lawyers are and, typically, the advice they would give companies, they don't have a lot of case law to base that on yet, right? So those norms are still being figured out. But in addition to that, you know, we're seeing the emergence of kind of two schools of thought here.
Caleb Barlow: [00:06:29] One school of thought is to lean into this, disclose rapidly and often when - any time you see a - any type of incident and let those regulators know. Now, obviously, that starts to inoculate you from the potential fines and gets government involved. And I think that's, ultimately, what governments around the world are really asking for.
Caleb Barlow: [00:06:49] There is, however, another school of thought, where, you know, a lot of other companies are looking at this in a little more of a conservative view and saying, look. We're not going to lean into regulators until we know for sure that we've actually got a problem and we can truly understand - have evidence to back that up. I'm not here to say which approach is right or wrong. But it's certainly creating a lot of discussion.
Emily Mossburg: [00:07:12] I mean, the challenge with these kinds of laws and regulations are - the devil is in the detail as it relates to how it's written and then how it's interpreted. And I think that, honestly, that's probably why we aren't seeing as much traction at a national level related to these laws and regulations. I think that it becomes very sticky in terms of the actual wording and the way in which to write things because the space of technology and the space of cyber and protecting data and thinking about the different technical controls and process level controls that may need to come into this, it's an evolving space. Laws and regulations are meant to be longer term.
Emily Mossburg: [00:08:03] And so I think that there becomes this back and forth in terms of being precise without being overly prescriptive. And I think that in many cases, it causes a lot of circular conversation about what should be in the law and regulation. And sometimes, it gets to a point where you can become mired down in the detail.
Caleb Barlow: [00:08:26] Not only do we have to deal with European regulations, but here in the United States now, there's 54 different breach disclosure laws. So - and they're all different, right? So, you know, once you start telling one, then you start to get into the question of, well, who else do we need to tell? Do we have to tell them the same thing at the same time or different things at different times? So it can create quite an interesting environment where a company's trying to navigate that, make sure they're not going sideways of the regulator. But at the same time, they've got to work through this crisis.
Caleb Barlow: [00:08:59] And let's also remember - particularly with larger-scale breaches, you not only now have a technical crisis, you may have a communications and reputation crisis. But also, now we see automated hedge funds automatically trading stock of companies that have been impacted. So at the same time, you add in a potential financial crisis. So there's obviously, oftentimes, some resistance to going public with this until you're ready and until you know all the facts.
Emily Mossburg: [00:09:27] What this really all comes down to is, how do you bring all of these different laws and regulations together into a framework where you can compare and contrast requirements, understand where there are similar or the same requirements across laws and regulations? And in some cases where you're talking about a privacy law or regulation for security law or regulation, you might find things that aren't necessarily conflicting but aren't all also - come at the same problem from different angles - and so require you to sort of thread the needle carefully in order to think through, how are you going to implement a program that is in compliance with this complete framework of laws and regulations that you're dealing with?
Steve Durbin: [00:10:20] There's been a general view that, actually, if you're handling European citizen data in any way, shape or form, then, obviously, you're going to have to comply with the GDPR. So, you know, we've seen countries such as India, for instance, we've seen countries such as Singapore or Australia all coming out with national regulations that have set the bar in terms of personal data at the same level. And for me and, certainly, from the people that I talked to in organizations as well as in government, that's viewed as a very positive step because at least we are starting to get - by accident, some would say - a degree of global consistency around the way in which we manage personal data.
Steve Durbin: [00:10:59] We're also starting to see some other things coming about, which is also interesting, where certain countries are saying, well, hang on. If we're going to have to store and manage personal data, what about the cloud? Well, maybe you need to be making sure that your personal data as it refers to a particular citizen is held within national boundaries. We've seen that coming out of Russia. We've most recently seen that coming out of Vietnam. So I think we're starting to see some morphing and changing coming off the back of it. But overall, I think that sort of global consistency is something that we're starting to see come about.
Caleb Barlow: [00:11:38] You know, I think anything that we start to do to have more of a dialogue about maintaining privacy is a really good thing. And, you know, if we look underneath the goals and objectives of GDPR, it's very noble in its pursuits. The challenge we run into is you end up with some unintended consequences. So, for example, one of the biggest things that we're all dealing with is the loss of WHOIS data. And, you know, if you' think about it, the Internet was basically put together, and one of the primary principles was that we would all have free and unencumbered access to WHOIS data, to know who is behind this interaction, who registered this domain.
Caleb Barlow: [00:12:22] And even when bad guys register false domains, Dave, there's enough information there that we can correlate to go, oh, well, the entity behind this also registered a thousand other domains at the same time. So if one is bad, they're probably all bad. And security companies have had a longstanding history of rapidly working through that and blocking all of those potentially nefarious domains to prevent us all from accidentally getting phished. But with losing that data, it gives the bad guys an edge because we can't correlate those domains.
Caleb Barlow: [00:12:57] In fact, we have to go through and mock each one bad individually, and effectively wait till somebody is impacted before we can mark it nefarious. But I think the most logical place for regulators to start is to really engage in the conversation with ICANN and really get this WHOIS data problem fixed. Because without WHOIS data, we're all losing out. And ultimately, the loss of WHOIS data - it's increased the threat landscape, it's increased the time in which it takes us to take down a bad domain. Ultimately, that could cause the largest privacy breaches we've ever seen in history as an unintended consequence of GDPR.
Emily Mossburg: [00:13:36] And so what we often advise our clients to do is create a singular framework that brings together all of the different laws, regulations, standards - in some cases, contractual requirements - that they have around this space in order to come up with a complete framework that is inclusive of all of their requirements, with a focus not necessarily on compliance across the entire organization at 100 percent of this framework, but likely a standard and a framework that meets 80 to 90 percent of these requirements with an understanding and an articulation and identification of the areas where they need to then go back and make adjustments and customization to the framework and the implementation of that for those areas that need that additional 10 or 20 percent based upon the type of business it is, based upon the location, based upon the type of data, et cetera.
Emily Mossburg: [00:14:47] But what we really find is that if you have a singular framework that you're working from, it really is helpful in terms of building an overall program, and most importantly, reporting against and assessing against your programs and the laws and regulations. The thing - 'cause that's the thing about laws and regulations, you have to be able to prove compliance, which means you need to be able to do assessments on an ongoing basis to show that the programs, the processes, the tools, the solutions, the organizations that you have in place allow you to be compliant. And so by having this overarching framework, you are then able to really operationalize this complex web of legal and regulatory requirements.
Steve Durbin: [00:15:36] Because you don't have very much time. You don't have that luxury of being able to sit back and plan it all out. You know, because you do have to notify not just the regulator but also the people who've been affected. You have to keep them informed of what's going on. You have to put in place very quickly now some mitigation for them so that they're reassured that you've taken all of the reasonable steps.
Steve Durbin: [00:15:59] And so I think that that has really caused organizations, as I say, to make sure that their playbook has been written, is up to date, is rehearsed. And that, for me, again, is a good thing. It's moving into, I think, being able to tick the cyber hygiene response box that we didn't have before. I'm not saying everybody's in that position, but there are a lot of people - I include myself in this - who, you know, if you're running an organization, you know that come the day there is a breach, you're going to have to go out there and explain what's been going on to regulators, employees, shareholders, customers, press, everybody who's interested in it. And speaking personally, you know, I really want to make sure that I know what I'm supposed to be doing before that day arrives. And I think a lot of people share that view.
Jason Hart: [00:16:53] Leading up to GDPR, from what I've seen, there was a lot of confusion.
Dave Bittner: [00:16:57] That's Jason Hart. He's CTO for enterprise and cybersecurity from our show's sponsor, Gemalto.
Jason Hart: [00:17:04] More confusion than actually doing things. I know of very few organizations that were compliant to GDPR at the point of the required date. I'm still aware of many organizations still going through the process and ensuring they are compliant with GDPR.
Dave Bittner: [00:17:20] Now, do you think there was sort of a tactical approach to this that people were intentionally taking a wait-and-see attitude to see, as long as we show that we are working on this, then perhaps that will buy us some time to see how strict the enforcement actually is?
Jason Hart: [00:17:36] I think, for me, what I was saying to organizations, it's a very good opportunity to start ensuring you're applying the basics from an information security point of view. So the approach I would say to organizations, providing you've gone through an appropriate risk assessment, you have a appropriate security framework in place, you understand the types of data, where the data is, the location of the data. More importantly, you understand the risks and applying the appropriate security controls, that you're some way forward in being compliant for GDPR.
Dave Bittner: [00:18:08] Now, can you describe to us what was the spectrum of preparation that you saw in terms of how much work did companies have to do to be in compliance?
Jason Hart: [00:18:17] So I think the first - the biggest challenge that I've seen was actually organizations understanding what data they had, and then secondly, where that data is. And, for me, that's the core foundation of information security. You know, my - I have been in information security for 26 years. Ultimately, from an attacker's point of view, they're after the data. They don't care what type of data it is. They're looking to basically gain ownership of the data, alter the integrity or breach the confidentiality and then monetize it.
Jason Hart: [00:18:50] So, for me, what I was saying to any organization is think like a bad guy. Be very situationally aware. Understand the different types of people in your organization, the data they're actually accessing and where they're accessing it from. Understand the different types of data and understand the locations. So the starting position for any organization, be it for any regulatory requirement or even GDPR, but fundamentally from an information security point of view, is create free buckets, buckets of people, buckets of data, buckets of location.
Jason Hart: [00:19:20] Once you have identified those free buckets, you start creating a process flow between people, data and location. From there, then you identify, is it a confidentiality risk, an integrity risk, accountability or stability? That's 101 information security.
Dave Bittner: [00:19:36] And how much of this is a technology solution? Is that feasible?
Jason Hart: [00:19:41] Yeah. So obviously, you know, the bigger the organization, you want to try and limit the amount of manual processing work or manual work as possible. There's technologies out there to do that. But as a very simple exercise, you know, the board or the management in your organization should quickly sit down and very quickly go through an exercise as an organization. What data do we actually hold? What types of data? And what's the implications based on certain scenarios?
Dave Bittner: [00:20:08] How did GDPR affect organizations' attitude towards data in terms of the amount of data they collect, whether or not it makes sense to hold on to data?
Jason Hart: [00:20:19] Any organization anywhere in the world. We're actually creating more and more data than ever. And as the years evolve, we're going to be, you know, that's going to double and double and double again. So we're in a data economy, data-driven economy. So fundamentally, from a board perspective or a management point of view, it should all be about the data. And my surprise was when I sat down with many organizations and said, OK, let's talk about information security, you know, let's put GDPR to one side.
Jason Hart: [00:20:48] When I say to an organization, what is it you're trying to protect in your organization? Very few organizations or individuals say, we're trying to protect our data. So I think, for me, the biggest surprise was that organizations who believe they were doing information security appropriately were not actually doing it appropriately because at no point were they considering the risk to the data.
Dave Bittner: [00:21:09] I've heard people say that, rather than this inclination that organizations had,- many of them - to hoard as much data as possible - because you never know when you might use, you might need it next - to actually consider data to be almost radioactive, that you don't want to have - you want to have as little data - you want to be responsible for as little data as possible.
Jason Hart: [00:21:31] If I put my business hat on, I want data. The more data I have about my organization, my customers, my users, I can use that data to enhance my business, my technology and use it to drive ultimately revenue and market share. What needs to be considered is, on the basis that you need data now to make the appropriate business decisions, the question comes to - based on certain types of data, what security controls should be applied to that data? That's the conversation.
Dave Bittner: [00:22:02] What are the conversations that need to happen between the folks on the technical side of the organization and the board itself?
Jason Hart: [00:22:09] So, again, if we take this a step higher, security is a board issue. And I think that's what GDPR has done is actually made security or the consideration of security controls around data a board issue. I still feel that many organizations accept it's a board issue and it's an IT issue. But what it certainly started from what I've seen is that is getting the IT and the board having a conversation about the protection of data. Where is our data and security? Personally, I don't think it's gone far enough at the moment. You know, most boards don't actually see this as a board agenda, but we're getting there.
Dave Bittner: [00:22:51] Take us through what a typical engagement is like for you when you're working with a client to make sure that they're approaching GDPR from a practical point of view, where do you begin?
Jason Hart: [00:23:03] When I go into, you know, organizations, irrespective of the size, first of all, I'm trying to understand their pain and their problem. Every organization is different. So, you know, normally when we've come in - when we come in, there is a - they've identified there's a need on protecting data or applying, you know, access control, authentication. So the first thing is, OK, what is it you're trying to protect and why you're trying to protect it?
Jason Hart: [00:23:27] Most of the time, most organizations want to protect everything in the organization, when actually, it's not always necessary. So, you know, to actually apply full-blown security controls and data protection across a global organization or even a small SME can be very, very painful, hence the challenge. So, first of all, we need - I take them through a process to say, OK, what is your need? Why are you trying to do this? And then understand within that process actually the types of risks they're trying to mitigate.
Jason Hart: [00:23:58] Most organizations assume just applying one security control actually mitigates all risk. It's - it doesn't. So it's really walking them through the process, identifying the real risks and then applying the appropriate security control. Could be a process. It could be technology. It could be other controls which then start to mitigate the risk.
Jason Hart: [00:24:17] So ultimately, what you do is you try initially reducing the scope. Create your scope and what you're trying to protect, understand why you're trying to protect it, get that in scope and then apply the appropriate controls and progress from there.
Dave Bittner: [00:24:31] And what's the reaction to that? Do most organizations find themselves having sort of those a-ha moments where they're - you open their eyes to looking at it in perhaps a way they hadn't before?
Jason Hart: [00:24:43] Yeah. For me, the key objective - you know, cybersecurity, information security can be very, very simple. But in order for it to be very, very simple, you need to actually take a broader view. And, you know, again - you know, I'm going to be talking lots of it during the podcast, the concept of situational awareness.
Jason Hart: [00:25:01] From a bad guy's point of view, it's about people, data and process. So if you're just looking at technology, then the bad guys going to look at the people and the process. If you're just looking at the people and not the technology and the process, guess what? The bad guy's going to go either side. So any organization, once they've identified what they're trying to protect and why they're trying to protect it, where does the people, data and process and technology come into it? And then look at the risk holistically.
Dave Bittner: [00:25:26] Now, in terms of GDPR from a big picture, should organizations - I mean, obviously it's here. And they have to deal with it. But is it helpful to look at it as a burden or perhaps an opportunity?
Jason Hart: [00:25:37] I think it's a business case and an opportunity. So I was a CSO or a CTO or even a CEO, you know, trying to get investment across my board or higher up in the organization, it's an opportunity. It's an opportunity to start doing information security properly.
Dave Bittner: [00:25:53] I think it's easy to say, but actually executing that, I mean, that - that's - that - the devil is in those details, right?
Jason Hart: [00:26:01] Which really comes back to, as an organization, if you identify what you're trying to protect and why you're trying to protect it - identify is it a confidentiality risk, an integrity, accountability and auditability risk? - from that point you can then apply the appropriate control. The biggest mistake I see, be it GDPR or other - any other regulation, is an organization try - is trying to enable that regulation or that mandatory requirement across the whole organization. Start by identifying where the critical assets are, the key hot spots, and then build out from there.
Dave Bittner: [00:26:36] In terms of mitigating risk, since we are still in the early days for GDPR - and as we mentioned earlier, I think a lot of folks are sort of looking around and seeing how strict are the enforcement effort's going to be. How big are the fines going to be? What are we really in for here? What's your advice for organizations to navigate that, to take an appropriate level of preparation but also not go overboard with it?
Jason Hart: [00:27:07] There's a lot of - you know, lot of talk around, you know, huge fines, you know, the regulators fining organizations. If I'm a regulator, what I'm looking for is to see that the organization has taken due care. So first of all, I don't think the regulators are out there to fine and to make money from this. What they want organizations to do is to go through a process to ensure that they've identified key sets of data, personally identifiable information, and are applying the appropriate controls.
Jason Hart: [00:27:42] You're never going to prevent a breach from happening. But what you can do is vastly reduce the impact of a breach. In my term, I call this a secure breach. So as a regulator, they want to see that the - as an organization, you've gone through a process. You've identified the hot spots, the risk areas, in your organization and the types of data that could be high risk, you've assessed the risk, you've applied the appropriate control where appropriate. So for me, providing an organization has gone through a very simple process - it doesn't need to be overcomplicated - and then assessed the risk, validated the risk and then applied the appropriate remediation where possible, they can actually show there was due care taken.
Jason Hart: [00:28:26] It's overcomplicated, and it doesn't need to be overcomplicated. And I think that's a really important message. If you're doing the basics from an information security point of view, i.e., you have an - you know, a risk assessment around data, you've identified key data sets, then you kind of are a long way forward on actually meeting the requirements of GDPR.
Dave Bittner: [00:28:51] That's Jason Hart, CTO for enterprise and cybersecurity at Gemalto. Thanks to them for underwriting this edition of CyberWire-X. Be sure to visit gemalto.com/cyberwire to learn more about their access management and data protection solutions and also find out about the Breach Level Index, which tracks the volume and sources of stolen data records. That's gemalto.com/cyberwire. And thanks to Emily Mossburg from Deloitte, Caleb Barlow from IBM and Steve Durbin from ISF for their participation.
Dave Bittner: [00:29:25] CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Narrator: [00:29:48] CyberWire-X.