Security Think Tank: Aligning data privacy with business objectives

In the run-up to the General Data Protection Regulation (GDPR) compliance deadline on 25 May 2018, as businesses were scrambling to put processes in place to achieve compliance, much of the discussion was around the risk of not complying.

Legal, IT and audit departments obsessively used worst-case scenarios for the scale of penalty and the resulting financial and reputational damage (should a data breach occur) as a stick to prod businesses along the rocky road to compliance.

GDPR gave businesses an opportunity to think systematically about their data. Organisations should have seized this chance to bring together multifunctional teams to enable collaboration across information security, data science, marketing, product and innovation departments to create long-term data strategies.

Instead, organisations spent an excessive amount of time – often at the very last minute – to identify the types of data they collected, the different systems that the data went into, and who owned and used the data. It was as if these organisations were asking basic questions about their data collection, storage and processing for the first time.

In multinational companies, this confusion was worse, with European offices trying to explain the new requirements to their counterparts based outside the EU when they hardly understood the mechanics of this change themselves.

Information security professionals play a crucial role in safeguarding the most critical asset of an organisation – its data. Strategies and implementation plans that relate to prevention of unauthorised access to data by administering firewalls and suitable encryption, including identifying vulnerabilities, are all indispensable for successful compliance with GDPR principles. But although these activities are business-critical, they do not necessarily leverage the full potential of data or align data privacy with business purpose.

If businesses want to optimise their data and generate value from it, information security professionals will need to function as business partners. They should engage with the overall organisational strategy to understand what the business is trying to achieve in order to design the best data management approaches.

Related to this, information security professionals should also assume responsibility for building the organisation’s understanding of the costs of holding data across different systems, so that optimal decisions can be made about what data is absolutely necessary and how much of it is actually needed.

Business value is created through transactions and, in most businesses today, it is through transactions involving data. Organisations are engaged in efforts to expand digitisation and automation across their activities. This has resulted in more devices per employee that, in turn, create more points of risk, an exponential increase in the exchange of data across devices within an organisation and with external partners and vendors.

Added to this are the many additional layers of data that are generated in unstructured ways through the use of social media, emails or the automatic capturing of data on smart devices.

Big data presents incredible opportunities to businesses, and information security professionals could be important enablers in helping businesses derive value from their big data by ensuring that the data sources are resilient, and the external data storage systems are robust, so that business can keep the promises they are making about data security.

Currently, businesses tend to operate in a siloed manner – business units make decisions about what data is important, data scientists stitch it together to generate insights, and information security professionals protect the data without being completely aware of the full extent and purpose of data transactions taking place across their digital ecosystem.

For businesses to drive real value from their data, these professionals need to understand each other’s language, with more collaboration between chief data officers, chief security officers and chief marketing officers.

Finally, information security teams should be at the forefront of providing training to the rest of the organisation on best practices on data handling and the most secure ways of using the systems, thereby helping businesses to create a culture of responsibility.

This means security practitioners need to embrace continuous learning as part of their skills development and qualification process, so they can gain a constantly evolving understanding of the threat, regulatory and technology landscapes that they can, in turn, pass on to other users.