GDPR What you really need to know -Part 2: What you need to do?

Solving GDRP requires a new way of approaching data security. There needs to be a paradigm shift that you must embrace:

• Educated Risk Management: With GDPR, cybersecurity needs to have board level visibility. Threat landscape is changing, you can’t protect everything at a given cost and timeline. This might be very difficult for senior management to grasp. You need to provide quick, non-technical risk assessments for them to assimilate and act based on facts and not gut feelings. You need to create meaningful KPI’s to measure periodically to assess how much risk you are taking with following or not following a specific security process. Risk measurement and communication is essential.
• Information focused security architecture: It is common to create layered security architectures where controls are placed between lower layers to upper levels. However, with GDPR, your boundaries morphing from physical (or virtual) components to logical constructs. You need to focus more on logical controls heavily using encryption and tunneling based on security hardware where possible. Your security boundaries are not server/OS/VM but components of data in transit and at rest. Your service accounts and administrators should be limited exactly on what they need to do and not Administrator/root on the box. It is not enough for your SIEM to detect a connection being made to a bad IP, you need to know what piece of information that process has access to. This generally brings up Data Leakage Prevention (DLP) technology discussions with customers. It isn’t about selecting the right technology, it never was. It’s about managing your risk at the right level. Some risks are managed through proper security process management, some through effective security architecture and some through implementing correct technology.
• Orchestrated security processes: There is always the risk of an automated system having a security vulnerability but still most of the breaches occur because of human beings not being able to handle change properly. Optimize your processes for automation and teach your people where to make their own decisions and where to follow the processes. Constantly monitor your most if not all your processes against your overall risk measurement metrics, harness the power of dependencies to catch anomalies and analyze non-harmful breaches. The goal is to catch the bad guys before they do any harm, not to prevent them. Don’t dismiss the opportunity to learn from their mistakes.
• Management of Change: GDPR will require organizations to change the way they are doing business. You will need a management of change board, create proper communication plan on what will keep the same and what will change. Provide training if necessary to your personnel, help desk and your customers to educate the impact and improved ways of doing their day to day work. Most importantly make sure the new way is the easiest and most convenient way to do things or people will revert to the old processes where possible.

Please feel free to provide comments, experiences and lessons learned if you have already started this journey.

If you are interested in our work, please follow Gandalf on linkedin or visit www.Gandalf.com.tr web site.