Back in August 2015, Sysnet discussed the complexity of what the term CyberSecurity represents, especially in the context of today’s threat landscape. This complexity is not only constantly increasing but it is also expanding at an exponential rate. The risks involved demand constant attention and very good understanding of the new technologies being introduced onto the cyber defence ‘chessboard’.
Sysnet also explored the noticeable shift in the traditional roles of the CSO (Chief Security Officer) and the CIO (Chief Information Officer) which have changed a great deal over the past five years. Their focus on managing security by applying resources to the most crucial system components, in order to reduce the likelihood of a successful breach, is now considered an insufficient approach in the current environment of cyber threats. Threats are changing faster than traditional risk management approaches can cope with, and a more proactive and adaptive approach is needed for an effective cybersecurity strategy.
Looking back a bit further, Sysnet discussed the new EU Data Protection Regulation, which requires the appointment of a Data Protection Officer (DPO) for most organisations, and explained the role and responsibilities of the appointed DPO.
The DPO’s role in safeguarding the organisation in accordance with the EU Data Protection Regulation’s requirements will also require deep knowledge of current and emerging technologies, the evaluation of organisational processes, policies and procedures to ensure alignment with the new regulation, and implementation of technical controls to ensure the confidentiality of personal data.
For all the above reasons, the role of the DPO is currently being discussed at board level. One of the most important factors in appointing a DPO will be finding someone with a very strong understanding of security and data privacy, instead of appointing someone with only risk management skills and a legal background. Not only because of the new Data Privacy requirements but also because there is an increasing need to be better protected against the constantly evolving cyber threats that target confidential and personal data. It is no surprise to see staff training also being specified as a requirement under the proposed regulation. The appointed DPO does not have to be an employee of the company, allowing consultancy firms with the expertise to act as the appointed DPO where no qualified internal resource is available.
Why is this so important?
Predictions in the cybersecurity space indicate that evolving threats are becoming more persistent and, in some cases, more sophisticated. There is also a significant increase in the frequency and variety of those threats. In other words, the role of the DPO will need to deal with a wide range of security concerns that are already on the rise or expected to affect businesses in the near future. Examples of these security concerns, based on current industry trends, technological advances, expert insights and last but not least legal framework changes, are given below:
- Privacy issues which in some countries are considered as a human right. The responsibility and the cost of safeguarding the data falls to businesses and their respective security professionals.
- Laws governing sensitive data related to handling and use of such data. Especially, after the US government revealed its PRISM program, many countries started working on laws regarding the handling, processing and domiciling of certain data.
- After the Bring Your Own Device (BYOD) frenzy, Internet of Things (IoT) has introduced a large number of devices into both the home and business environment that increase risk of unauthorised snooping or exposure of sensitive data, as in most cases security is barely an afterthought.
- Cloud services and storage have been used as solutions to mitigate risk as they provide easy scalable extra capacity, automated backup and recovery, and an ability for the organisation’s employees to work from anywhere. However, the secure transfer and storage of sensitive data, by the use of strong encryption from point-to-point, is proving to be not only necessary, but in some cases an extremely complicated task.
- Permanent Denial of Service is a type of attack that can have a significant impact on the software and/or hardware of a system. These types of attacks are capable of exploiting misconfigurations or security flaws that can destroy a device’s firmware. Such an attack can install a malicious type of firmware to the target device but may result in the device being rendered entirely unusable.
- Ransomware attacks including both the spread of malicious ransomware files that encrypt files for ransom and Denial of Service extortion schemes that demand a ransom in order to seize the attack. (See also our article on ransomware)
This is not a definitive list of a future DPO’s responsibilities and challenges. It is however a good indication of how complicated the process of ensuring the confidentiality, integrity, availability, non-repudiation, and authentication of data has become. It also demonstrates how important it is for organisations to take responsibility at the most senior levels, adopt a proactive and adaptive approach able to recognise emerging threats and to take action to continually evaluate and update their defence mechanisms to ensure business continuity.
-- This is a blog post I created for Sysnet and I am reposting it here for historical purposes. This was originally posted here.