Compliance Comes Roaring Back With GDPR

The goal of many leaders of security programs is to make producing proofs of compliance the output of an already effective security program and for a while, compliance-driven projects took a back seat to some manner of risk assessment, a holistic look at the impact and probability of potential security vulnerabilities in both an organization's processes and its technical infrastructure. Multiple indicators in the most recent VotE study indicate that such an approach will be subordinated for many organizations for at least a year. The breach notification timeline requirements, large potential fines and the need to inventory many forms of personal information that are part of GDPR's requirements have caught the attention of security managers whose business is in or touches the European market.

Compliance, in information security parlance, is requirements driven by the interpretation of regulatory controls, and there are both common and very industry-specific requirements generated with a good deal of overlap. Whether those requirements are actually originating from a compliance department, legal or an internal or external audit function, it all generally is lumped together as 'compliance.'

Figure 1: Security project motivations over time
Source: Voice of the Enterprise Information Security: Multiple Studies

While attaching a compliance cause to a security project can ease its passage through various approval hoops, using compliance as a lever tends to be a double-edged sword for security managers. Comparing audit horror stories, poorly written findings and the actions those findings drove that did not lower the risk profile of the organization is a favorite activity of security managers. Prior VotE studies have identified that while auditors generally have both a strong business background and understanding of applicable regulatory controls, that technical acumen is often missing and results in an over-reliance on overly prescriptive, generalized best practices.

That said, it is clear from narrative commentary by senior information security managers that certain organizations seem to have to be forced to a minimum security baseline to provide basic protection of stakeholders' (patients, customers, suppliers) data. There are stakeholders who would, and still do in some cases, bear the costs of negative economic externalities generated by the lack of security practices of these businesses:

"As humans, if we don't have a speed bump, we're not going to slow down...So while regulation and law get in our way sometimes, we have them for a reason. And I truly believe that if we didn't have the HIPAA regulations, that healthcare would still be an absolutely dismal, awful security mess...We had to do something, and the industry was not self-regulated. It didn't care."

– IT/engineering managers and staff, 50,000-99,999 employees, $10bn+ revenue, healthcare

"That [HIPAA] stipulation was the only way. Prior to HIPAA, there was no security team...That was pretty much across the board in healthcare. You had a few techs in the IT side who dealt with the hardware and software to keep workstations running, you had application people to keep your apps going, and there was no security team. It just flat did not exist. And when HIPAA...started getting close to the point where they would be fined, that's when organizations truly stepped up and said, 'Oh man, maybe we really do need to have a security team and worry about this stuff, otherwise we're going to get fined.'...Regulations really drove us to where we're at."

– IT/engineering managers and staff, 50,000-99,999 employees, $10bn+ revenue, healthcare

In addition to being the most-cited motivator for security projects in 2018, compliance-related costs and requirements are the second most-cited pain point for security managers, and the most common project. Narrative commentary from senior security managers this year also makes clear that some organizations have had prior 2018 project plans entirely derailed by efforts around GDPR:

"[Our 2018 budget] priority is going to be around GDPR compliance. 100% around it...We're going into phase two of our new CRM system, so there will be work from my side on that around the security side of it. But all of it's going to be with a GDPR focus for the next 12 months because there are no budgets for anything else around. There is no new budget for 2018 and any budget we're going to get is going to be what we can get by tagging with GDPR."

– IT/engineering managers and staff, 500-999 employees, $50-99.99m revenue, software, education and training

Respondents report projects themselves are largely around the difficulties in both inventorying where potentially affected identity data is present within the organization and mapping GDPR's requirements into the existing regulatory structure they operate under:

"[With GDPR] the biggest impact is the amount of time it takes to get things going, and get engagement and, for example, mapping out your data flows.... Every time you think you've got all the information from people about where the data comes in from, who it comes from, where the consent is gathered, things like that, someone will come back here two weeks later and go, 'Oh, yes. We forgot about this.'"

– IT/engineering managers and staff, 500-999 employees, $50-99.99m revenue, education and training

– Mid-level management, 10,000-49,999 employees, $5-9.99bn revenue, business services

"We just finished our GDPR pre-assessment...We also have to comply with PCI DSS as well as PA-DSS and we perform SOC 1, SOC 2 audits... so we get hit by all of them. GDPR specifically really affects us because... client customers, they can be anywhere. They can be coming from the US, the UK, any one of the European Union states, and so we have a requirement to protect that data...GDPR is very far-reaching as how they define personal information. So it's really the PII elements that are triggering our requirements to meet the compliance for GDPR."

– Mid-level management, 250-499 employees, $100-249.99m revenue, software, IT and computer services

"There is a project open to reconcile the requirements of GDPR with our current regulations to identify what the outliers are... so that we can begin to address them next year so that we can get that done before the end of May."

– Senior management, 10,000-49,999 employees, $10bn+ revenue, financial services

Finally, while GDPR clearly affects US companies with customers who are EU citizens as the first commentator below notes, a natural question to ask is whether GDPR is a precursor to stricter controls around user privacy coming to the US market. This includes more encompassing definitions of personal data, better handling of consent to use that data including what constitutes a legitimate interest, data minimization and a clear understanding of enforcement, which up until now has largely fell to the Federal Trade Commission (FTC). US Senator Ed Markey of Massachusetts has already made some noise in that direction; however, the EU's concept and expectations around user privacy have long differed from attitudes in the US, as the second narrative below points out:

– IT/engineering managers and staff, 50,000-99,999 employees, $5-9.99bn revenue, healthcare

– Senior management, N/A, N/A, financial services