Maksim Kabakou - Fotolia

Security Think Tank: Brexit – An opportunity for infosec pros to take the lead

What are the pros and cons of Brexit for information security professionals and data protection?

The 23 of June 2016 threw the UK, Europe and the world into disarray. Yet, there is every reason for those in the security and data business to keep a cool head when considering Brexit.

The global financial industry, the UK’s political system and many other communities are still in the throes of that upheaval.

The IT and data industry did not wake up to a new threat landscape, our systems for managing data had not altered, and any regulations we needed to follow were still as they had been the night before.

Of course, there are still some pivotal details to be worked out in the fine points of data rules, some of which may yet prove a sore point for data and security professionals. Yet, the impact may turn out to be positive.

The heightened publicity of numerous trade, data and privacy deals and regulations the British and European markets operate under – and corresponding concern in organisations about a full risk picture – has opened the floor up to security professionals to take a lead role in company strategy to help companies weather potential storms.

GDPR, NIS and friends

As it stands, there is uncertainty when the two-year process to sever European Union (EU) and British ties will begin. This means no one knows when EU laws will cease to apply in the UK.

The General Data Protection Regulation (GDPR) will come into force across the European Union on 25 May 2018, potentially while the UK is still in the EU. Additionally, it is likely that the UK will need to implement the Network and Information Security (NIS) Directive – also known as the Cyber Directive – by spring 2018.

Even if the overlap between the UK’s EU membership and the application of GDPR in the UK is a short one, any UK organisations that trade in the EU will need to apply it. As a result, despite voting to exit the EU, comparable data protection and cyber security laws in many areas will be necessary to avoid trade barriers.

The main negative point is the uncertainty, but as the EU will deny access to its marketplaces to any company not up to code, certainty comes back into the picture again as we realise the regulations have to be implemented anyway.

Not quite incidentally, when considering international data regulations in this context, those responsible in a risk and compliance role should keep keen eyes on the progression of the Safe Harbour and Privacy Shield saga in the Irish courts.

Opting for private model contracts to cover international data exchanges in the absence of Safe Harbour is a legally uncertain decision, and their use could cause major international disruption if ruled inadequate.

Forewarned is forearmed, and the role of data professionals in the risk, audit and legal lines should think about agreements they may enter into about data transfers across borders.

Board with risk

As mentioned, governing boards are now awake to the potential hazards the world of data holds.

In a post-Brexit environment, they are keen on having line of sight on all business processes to get a full risk picture. They are keen to manage risk as best they can with the elements under their control, given the uncertainty presented by external forces.

Simply, the uncertainty in business post-Brexit means now is the ideal time to act to marshal all lines of defence. One suggestion is by instigating automated governance, risk and compliance (GRC) systems.

This type of system means organisations will keep inside their risk appetite, adhere to internal policies and (crucially) stay in line with external regulations. Managed in the correct risk framework, it can unlock efficiency in IT and operations and reduce uncertainty.

Among other things, a good GRC system can manage third-party risk and compliance issues, as well as act on any regulatory issues or updates necessary.

It also helps a company recognise its own risk profile and critical applications and assets, a process which can foster an overall awareness of risk in the organisation.

Above all, it’s an operational framework that allows a company to make the best use of its people, assets and technology.

What happens in the political and economic sphere is going to be beyond the control of an organisation’s governing board. Its own governance, risk and compliance is, however, well within control. Now is the perfect opportunity to build the best GRC structure possible to take a company forward into the unknown.

Christos Dimitriadis is international president of Isaca and group director of information security for Intralot, Greece.

Read more on Privacy and data protection