Regulation and Compliance – What Drives Data Security Adoption?

In this clip from our recent webinar ‘Data Security and Data Protection in 2024’, Sam Malkin, HANDD’s Lead Solution Architect discusses the crucial role of regulation and compliance in driving data security adoption. Key regulations discussed include PCI, ISO, GDPR, CCPA, and the upcoming Digital Operational Resilience Act (DORA). Compliance with these regulations often involves financial penalties for breaches, motivating organisational buy-in and enhancing data security posture.

View the clip and transcript below or watch the full webinar.

Is your data secure in 2024?

In today’s dynamic threat landscape, proactive Data Security and Data Protection measures are vital for safeguarding your organisation’s assets. With HANDD, you can strengthen your security posture, minimise upfront costs, and achieve your business objectives seamlessly.

Request a FREE 30 minute consultation to learn more about how HANDD can help you protect what matters most to your business.

Transcript:

The first one that we’re going to start with is probably the easiest, and that’s regulation and compliance, because regulation and compliance actually drive data security adoption. The others don’t really foster the kind of adoption of data security.

Now, regulation can take many different formats and that’s going to differ depending on what it is that you’re trying to achieve and also depending on things like the industry you operate in, the geographic location that you’re in and a whole host of other factors as well.

But effectively, what compliance and regulation give us is a requirement that can sometimes be mandated by law, can other times just be something that we want to achieve, which says data must be handled in a certain manner or secured in certain ways.

So where we’ve got these regulations placing obligations on our organisation, particularly where they are met with a financial punishment if we don’t meet them, that’s when we’re going to start to see buy in from the board.

They don’t want to be fined, they don’t want the bad press as a result of a breach in something.

And as a result, that’s going to drive our data security posture forward.

As I mentioned, they also allow us to demonstrate how serious we might be about security, protecting data, and allow us to prove to our peers, third parties that we might do business with, but particularly to our consumers, that actually we’ve gone through an audit in some capacity and we take data security seriously.

Up on the screen are some very common pieces of data protection, security, privacy legislation. I’m not going to read them all out. I’m sure you’re familiar with most of them.

But as I’ve mentioned, they are similar yet different in terms of their data safeguarding and understanding on what data we might have or where we might have to allow it to go or whatever the case may be.

Now, some of them up there are specific to a data type.

PCI, obviously, payment card industry. We’ve got version 4.0 kicking around now. That’s specific to credit card information or payment card information. And that says what we can and can’t do with it, where we can store it, and where it is allowed to go.

You’ve got ISO up there, which is a more general definition of sensitive data. And that’s almost defined within your organisation as to what you define as sensitive.

But what they all do is say that once you’ve got that sensitive data defined, you must apply appropriate controls to it so that it doesn’t fall into the wrong hands or become misused, et cetera, et cetera.

We’ve also got up there GDPR and CCPA, which are something that I’m going to move onto in a second, but they’re part of an ever-growing trend of consumer privacy regulation.

We now got 137 countries out of all of the countries is on the globe, that have a data privacy law, which puts obligations onto organisations as to how they must treat the personally identifiable information of citizens of that country. But we’ll come on to that in more detail in a second.

We’ve also got DORA. DORA is a fairly new piece of legislation. It’s going to come into force in January next year. We’re actually running a DORA webinar next month. So if anyone’s interested in that, if you’re working in the finance industry, that’s specific to you, then keep your eyes peeled on our usual channels and start for dates around the next DORA webinar that we’ll be running.

But without having a handle on the data that your organisation has, the organisation controls, and having things in place to prevent its misuse, then it’s almost impossible to prove, and it’s really hard to deliver this compliance.

And that’s regardless of whichever one of those regulations we were just looking at on the previous slide that you want to achieve.

I keep saying it, but every single one of those pieces of regulation is going to stipulate that certain data types must have appropriate security controls applied to it to keep it safe.

So again, if that’s PII in the case of the privacy laws, or it’s confidential as per ISO, or it’s CUI data in the defense industry, without being able to identify that information, find out where it is, you know, pick that out compared to all the other pieces of information which this doesn’t apply to, run reports on where those types of data are, then what we’re doing is we’re effectively going to have to rely on our human beings to have firstly understood the legislation and then secondly, be  willing to comply the legislation and deliver that off of their own back which I’m sure you’ll all agree will have distinctly different outcomes from one day to the next and from one business to the other.

But what is also happening now is that when we have to pass audits and things to confirm compliance to any regulations of things like our ISO audits or our Cyber Essentials or something like that, without having these tools in place we’re making our life more difficult.

I think everyone knows the apprehension and the fear almost when it comes to audit times but without tools in place we are very much making our lives even more difficult.

I mentioned that I wanted to deliver you some pointers and some ways that you can take this forward and start thinking about your data and taking action within these projects.

So when it comes to legislation, the first thing that you’re going to have to do is you’re gonna have to understand it, understand what that legislation entails, what that legislation is saying that you must do or must not do, I suppose is also accurate.

I think they can seem daunting and plenty of people will get intimidated by regulation, particularly when there are fiscal penalties involved and things like that. But it’s important to remember that they’re there to help us out, they’re not there to make us look daft or make examples of us or anything like that.

So it’s worth doing some work or alternatively finding someone like us who has already done some work to understand the piece of legislation.

And then working out, are we in scope?

You know, I spoke about DORA a second ago and there’s a lot of people that will be out of scope of DORA.

So do we even have to do anything?

But once we’ve done that, write it down, start to create a blueprint in terms of policy about what it is that we have to keep safe, what it is that we have to do. And you might have a lot of overlap there.

There’s a lot of regulations which are very similar.

So your policy for ISO might actually cover you for another piece of regulation that you want to adhere to.

So yeah, do your homework, write some policy, and then finally augment that with software and technology as well.

As I mentioned before, trusting human beings to do anything can often be catastrophic, but don’t just say in policy that we don’t send certain types of data to certain places, police it, block it if you have to, know why people are trying to do it, get analysis of what is trying to be done in terms of data movement, and then go back and ask them why, you know, and engage with your user community because they are just trying to do their jobs, you know, they’re not trying to breach compliance legislation for fun

–End of transcript–