Maksim Kabakou - Fotolia

Security Think Tank: Brexit and infosec – for now it’s business as usual

What are the pros and cons of the UK leaving the EU for information security professionals and data protection?

As the Brexit story continues to evolve, information security professionals are beginning to ask themselves how life outside the European Union will affect their professional lives going forward.

Irrespective of political opinions, Brexit undoubtedly represents change and our profession will not be immune from its impact, both positive and negative.

These are some of the ways in which the profession could be affected:

  • Wider economic repercussions may reduce infosec budgets.
  • Most economic predictions have indicated a slowdown in the UK economy because of Brexit. Should things pan out as predicted, this will undoubtedly result in a general tightening of IT budgets and this is likely to have a knock-on effect on IT security budgets.
  • IT security is often seen as a discretionary spend and may be a casualty if there is a recession. In previous economic slowdowns, we have seen hiring freezes, which make it difficult to deliver any increase in demand for IT services with permanent staff. If demand for IT services maintains the same pace, this may present an opportunity for the contract and consulting market.
  • Reductions in budgets mean it is likely we will be asked to deliver more for less, with one result being that the deployment of solutions that support the automation of IT security-related tasks is likely to be encouraged.

On the other hand…

Fear and uncertainty drive demand for infosec professionals.

Most information security professionals will be familiar with the difficulties in putting together a business case for spending on IT security. Infosec projects rarely deliver a return on investment and are typically treated as an “insurance policy”.

As noted above, Brexit may reduce infosec budgets. Alternatively, nothing sells insurance better than fear and uncertainty, and the political instability that surrounds the UK’s exit from the EU may instead translate into a desire to improve big businesses’ IT security posture.

For organisations that take information security seriously and recognise the changing threat landscape, this may result in an increased interest in information security initiatives and demand for the services of infosec professionals.

Impact of EU legislation

The impact of EU data protection legislation will not really change.

For organisations that operate in Europe, compliance with EU data protection legislation will continue to be a business necessity. The previous EU data protection legislation, EU Directive 95/46/EC, has already been incorporated into UK law and is applicable to UK companies irrespective of the country’s position within the EU.

With the new General Data Protection Regulation (GDPR) to come into force on 25 May 2018, many organisations will find it tempting to wait until the dust settles on Brexit before determining the actions they need to take to achieve GDPR compliance. However, in my opinion compliance with GDPR will be required, irrespective of the UK’s future relationship with the EU.

Although GDPR may not directly apply to the UK after Brexit, the Information Commissioner’s Office (ICO) has emphasised that the UK will need to prove “adequacy” if it wants to trade with the single market on equal terms.

In practice, this means the UK will probably mirror the EU’s data protection legislation, so a need to comply with the new regulation is likely either way.

If a company operates and will continue to operate in any EU states, the GDPR will apply anyway.

Availability of infosec skills

One of the most topical subjects of the Brexit debate has been immigration. There is already a well-documented shortage of infosec skills in the UK and organisations are reliant on talent from EU and non-EU countries. 

Controls on immigration could widen the skills gap, but if an Australian-style points system is implemented, it may be easier to access non-EU practitioners than it is now.

Read more about the impact of Brexit on security professionals

On the flipside, new trade agreements that include freedom of movement of workers with countries such as Australia or Canada could create a “brain drain” on the UK infosec workforce.

A lot is being said about the changes that will happen because of Brexit, but it is worth remembering that any formal exit from the EU will be negotiated over a two-year period once Article 50 has been triggered. Two years is a long time in politics and is an even longer time in the IT world.

Keeping up to speed with the changing IT security threat landscape is likely to represent a more significant challenge to IT security professionals than anything resulting from Brexit.

For the moment, it is business as usual for most of us.

Richard Hunt is managing director of Turnkey Consulting.

Read more on Privacy and data protection