Data protection laws are big challenge for IT leaders

Navigating the minefield of data protection laws is one of the biggest challenges facing chief information security officers (CISOs) in the UK and the rest of Europe.

Navigating the minefield of data protection lawsderstand the data protection requirements and manage data accordingly, says Alessandro Moretti, (ISC)2 European advisory board member.

Providing data in a timely fashion to any regulatory investigation becomes increasingly problematic the larger the organisation is because that means there are more borders to cross, he says.

The CISO particularly needs to understand the requirements related to where the data should reside and how it can it can be distributed within an organisation as well as to external third parties.

Moretti, who fulfils a CISO-like role for investment bank UBS as executive director for IT security risk management, says the challenge extends beyond the banking sector to all global companies.

The best way to tackle the problem, he says, is to work collaboratively with external legal professionals well versed in the details of all the various European data protection rules.

"Gone are the days a CISO can safely rely on an IT security function to provide a firewall and that is the end of cross border data control," says Moretti.

The data environment is now much more complicated, fluid and dynamic, which makes it difficult for the IT function to understand where data flows to and where it needs to be protected, he says.

According to Moretti, the complexity makes it unwise for multinational organisations to go it alone and risk exposure for non-compliance.

"Making sure that the professional expertise of IT security individuals takes into account their duty to understand the problem and engage the right expertise is part of my role at (ISC)2," he says.

While CISOs typically choose the technologies and processes to manage data securely, legal teams will check whether or not these meet regulatory requirements, says Moretti.

"That is risk analysis, which is typically done better by organisations in the financial and government sectors," he says.

These sectors have been ahead of other disciplines for many years, says Moretti, which is why (ISC)2 is trying to enhance the competencies of IT professionals in other sectors to help bring them up to speed with an increasingly challenging regulatory environment.

Read more on IT risk management