Business strategy and networking technology role in data protection
Consulting firms, legal firms, technology vendors and service providers among others are busy promoting their solution approach to The EU General Data Protection Regulation (GDPR) compliance as it comes into force on the 25th May 2018.
Data protection is not a new concept – data protection commissioners at country level, best practices like Center for Internet Security (CIS) and Framework for Improving Critical Infrastructure Cybersecurity from National Institute of Standards and Technology (NIST) are in place for a long time now. GDPR simply gives rights to individuals in respect of the personal data and any entity that handle such data should have the necessary governance in place to comply privacy requirements.
Moving away from educating on GDPR it is important to recognise that cyber security risks can harm an organisation ability to gain customers, innovate and drive profitability. For this reason, data protection is core to business growth and is not a legal, consulting or technology overhead expenses. Organisations will need to balance the consequences of failure against the cost of compliance.
The NIST framework on cybersecurity uses a common language and is a good starting point to understand the correlation of cybersecurity risks to business drivers. It suggests information and decision flow starting from and supported as a core business process is key to executing cybersecurity activities within the high level functional areas of Identify, Protect, Detect, Respond and Recover.
Figure: Notional Information and Decision Flows within an Organization2
In terms of cybersecurity implementation, CIS define controls broadly relating to access control (people, devices and software), protection (email, WAN, LAN, web), monitoring, reporting, incident response and contingency plan. GDPR requires privacy by design and by default and networking technology play an important role towards this by: Internet protection
Associated technologies: Next-Gen Firewall, Intrusion Prevention, Content filtering, DDoS, Advanced Threat Analytics. Network Segmentation and Access Control
Associated technologies: Identity Services Engine, TrustSec. Security Breach Detection and Notification
Associated technologies: End-point (devices) Protection, OpenDNS, Email Security, Advanced Malware Protection, ThreatGrid, Active Threat Analytics.
GDPR is about application-level data and networking technology is an enabler to the data protection controls necessary to support the digital transformation required as part of business strategy.