Finally, it is 2018 – a year to be heavily impacted by the EU General Data Protection Regulation (GDPR). What may feel like a revolution, was in fact called a reform when the the EU Commission announced the first GDPR proposal in 2012. Nothing has changed overnight, but accompanied by regular news of data breaches and activists like Snowden, information privacy has certainly gained some traction since then. Now, I’d say we have a working climate for data protection and privacy in place.
October is behind us, a big month for national security awareness campaigns across several countries. For many, campaigns like this offer the only security training people get during the entire year. But a campaign oriented approach like this has also a few limitations. You simply cannot frame all your company’s security training needs within one month. Campaigns cannot be arranged for each and every other month either. So, what should you do when October ends?
A famous thought leader in security, Bruce Schneier, popularised the term «people, process and technology» back in 1999. Our security strategy must cover all three areas, and this holds more true than ever. Technology still gets the most attention, and we still need to advance the people formula. I believe cyber security needs more empathy.
Some insist on the contrary, but any of your colleagues can be a valuable contributor to your company’s security efforts. An example is when you do not have systems, rules or training to cover an unforeseen event, but people improvise to stay both as productive and secure as possible. Risk-based trade-offs like this happen a lot – although people will not necessarily tell you when it happens – but that’s how business gets done. Another example is when people report incidents (or potential ones), allowing your organisation to improve and become more resilient to cyber-attacks.
It is easy to blame people for security incidents, and this happens a lot. I believe this is an area where the cyber security field still needs to mature, because simply saying it’s down to human error won’t get us anywhere.
Security risks in our organisation are usually risks we want to treat. To achieve this, security professionals turn to implementing so-called controls. This is a word loaded with promise. Of course we want control, especially with the growing amount of cyber uncertainty. But do the techniques we use for controlling risk necessarily result in actual control?
A favourite part of my work is talking with other people. There is so much insight to learn from actually getting to know other persons, face to face. Especially when you work with security and IT, and you start listening to what people are actually saying about it.
Anyone can relate to an e-mail they got, that seemed a bit suspicious. Or to seeing a Facebook campaign that seemed too good to be true. Security is not something special that matters only for a few people. According to a recent online survey of American adults, 39% said they would sacrifice sex for one year if it meant they never had to worry about being hacked.