How to win clients with Security and Data Privacy

Blog post under Attribution 4.0 International?(CC BY 4.0) , please recognise the authors work.

During the past week I've sat down (virtually) with Nick Widdop for yet another great episode of?The Security Space Podcast , this time we went for a little dive into?security and data privacy by design and by default and how these two can actually drive more business and revenue instead of being seen as the usual money and resources blackhole. which it is commonly perceived as.

If you're part of the group that still thinks that information/cyber security and data privacy are just blockers to the business and money pits for the compliance and/or legal deities then have some faith, they are not.

If you address the issues from the beginning and have a proactive atitude towards Information Security and Data Privacy the amount of money/time/resources that you'll save will be significant and will be for sure a competitive edge to sell more, better and faster.

Times have changed and so has the reality regarding the ever more strict regulations being applied and the due diligence that clients and partners are putting before they buy your products and/or services. Regardless if your client base is within highly regulated markets or not,?if you recall the efforts with the UK/EU GDPR and the time and money spent in getting things right you'll agree with this point of view.

A little PESTLE (Political, Economical, Social, Technological, Legal and Environmental) horizon monitoring would highlight what’s coming or already here and will impact your company, your clients and/or suppliers:

European Union:

• EU NIS 2 directive that includes as one of the main goals:

"a culture of security across sectors that are vital for our economy and society and that rely heavily on?ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure."

• The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 - 17 January 2025. (ECB requirements for Financial institutions):

"European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop?technical standards for all financial services institutions to abide by, from banking to insurance to asset management."

• The Cyber Resilience Act that sets four key objectives:

"1. ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;

2. ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;

3. enhance the transparency of security properties of products with digital elements, and

4. enable businesses and consumers to use products with digital elements securely."

• The Product Liability Act that includes Artificial intelligence and Software/Firmware aiming to:

"Addressing the need to ease the burden of proof for consumers seeking compensation for damages suffered because of defective products, the proposal also introduces new provisions to address liability for products such as software (including artificial intelligence systems) and digital services that affect how the product works (e.g. navigation services in autonomous vehicles)."

So if your company, clients and/or suppliers operate outside of the energy, transport, water, banking, financial market infrastructures (including banking, insurance and asset management) healthcare, digital infrastructure, software, artificial intelligence/machine learning, firmware, cars, airplanes you should still keep a close monitoring because sooner rather than later the ideal will be to elevate the standard across all aspect of the society.

"Why should I keep a close eye if my business is not part of the critical infrastructure or software verticals?"

Because other laws and regulations in different countries are also putting pressure on organisations to start bringing their A game in regards to Information Security and/or Data Privacy, and big players in the game are not available to share the risk with your organization, namely:

• January 24, 2023 France passed a law (Article L12-10-1 of the Insurance Code ) that companies can only activate the cyber insurance if you have reported the data breach to authorities within 72 hours if they want to be eligible for compensation by the insurance for losses and damages caused by the attack
• One of the biggest insurers of insurance companies - Lloyds of London - have included "state-sponsored cyberattacks" in the same category of acts of war and therefore uninsurable and?Zurich’s chief executive warned ?in December that "cyber attacks were on their way to becoming “uninsurable” as disruption to society grows".

But on the other side of the big pond things are also changing at a fast pace, if in general the north american markets are less strict and regulated things are also changing and the heat is on regarding Information Security

United States:

• New US National Cyber Strategy signed by POTUS Biden by POTUS Biden shift responsibility from users and small companies to establishing liability for software makers that fail to take reasonable precautions to secure their products and services.
• SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets : "The Securities and Exchange Commission today proposed requirements for broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents (collectively, “Market Entities”) to address their cybersecurity risks."
• Potential for a new Federal law based on California CPRA (January 1, 2023) that is already close to EU/UK GDPR and one of the strictest data privacy requirements across the globe.
• CISA strategy for 2023/2025 is clear "to spearhead a national effort to ensure the defence and resilience of cyberspace", " reduce risks to, and strengthen the resilience of Americas critical Infrastructure" and last but not the least "strengthen whole-of-nation operational collaboration and information sharing."

If all the above does not strike a chord with you and the goals of your organisation you can skip the next part and enjoy a nice cup of tea or coffee while we dive in to the ways of how can I make all this to work in benefit of my organisation?

How can I leverage all these to boost my company objectives?

Simple, if what the regulators, clients and markets want is to see good Information Security and Data Privacy then that is what you need to give them. At the same time this would shield your business and substantially lower your risks and costs.

Being proactive about incorporating security and data privacy by design and by default is always a great starting point but also remember that zero trust is there for a reason and its not a product or a service it's a framework (more on this later on in another podcast).

There are a few frameworks that you can leverage, this is not a solution for all companies and organisations, as everyone is different and I tend not to believe in one size fits all. Please remember that these are just guidelines for you to ask the right questions:

• What are our clients asking for,
• Do we need any of these,
• If so why and how much are we willing to invest in terms of money and effort,
• What's the return of investment in security and data privacy that we can expect regarding sales and reduction of risks and liabilities,
• What would be the blockers to business if we don't have some or all of these,
• Where are we compared with the competition,

The basics done well:

If you are starting or already started any of these please do yourself a favour and do not go for tick-the-box exercise, make sure you do it properly and with good and clear intentions. Just-for-the-auditor-to-see usually does not end well and creates unnecessary and burdensome work, not much good but a piece of paper or certificate will come out of it. It will not minimize your risk or stand against an insurance or client investigation.

Start simple, frameworks like the UK Cyber Essentials are a great starting point for the first step if your target is the UK market.

If you're dealing with a larger part of business across the world then the ISO (International Standards Organisation) is the best choice, the usual

• ISO 27001 implementation and certification is accepted globally as the information security management system (ISMS)
• and if you're going for it or already have it I would strongly suggest that you add the extension to data privacy ISO 27701 - it does for sure help you have a better management of the data privacy aspects of your business and if you're a large data processor for your clients (as define by UK/EU GDPR) then this is a must have.

But you can do better and if it makes sense the recent

• ISO 31700 - Data Privacy by design for consumer goods and services - is a great add to the two ISO certification above and a fantastic way to increment the "security and data privacy by design and by default" strategy that you should incorporate and set as one of the pillars.

If you are in the US then the NIST have created of the best frameworks:

• NIST CyberSecurity Framework and the
• NIST Data Privacy framework for US-focused companies and of course the famous
• SP 800-53 Rev. 5 -?Security and Privacy Controls for Information Systems and Organizations.

But all this sometimes is just not enough, most clients know as we do that everything is great if you do what you say you do but we know that there are many organisations out there that still insist in doing the Just-for-the-auditor-to-see aka tick-the-box exercise.

Then most likely they will ask you for something that can attest that you do what you say that you do with the necessary consistency, enters the

AICPA

• SOC II Type II , an in-depth continue evaluation of your policies, processes and procedures that will review what your company have done during a period usually between 6 months to one year. Usually you'll find the most common reports being scrutinised in relation to:

1. Security and
2. Availability principles, but others such as
3. Processing Integrity,
4. Privacy and
5. Confidentiality can be great to have to show your organisation commitment to the best practices in the industry.

For those that work with the US Federal Government and want to be a supplier then

• FedRAMP is a must and if you don't have it then it will be most likely a deal breaker.

This little blog post is not ended to be a show case of all the frameworks that exist across but the ones that will be more useful for companies that operate within the EU, UK and US.

The point is still the same, regardless if you are a startup or a mature company, having a proactive atitude towards Information Security and Data Privacy will allow to become more competitive, less of a risk for your clients and for your company and costs less money/time to implement.

I would like to personally thank and say hats off to all who have been involved in the development of the UK Cyber Essentials, NIST, ISO, OWASP and other frameworks, for all their contributions.

We all stand on shoulder of giants regarding Infosec and Data Privacy.