At the RSA Conference 2017 in San Francisco, CA we were able to survey more than 300 security professionals. One of the survey questions was, “Is your organization preparing for the EU General Data Protection Regulation (GDPR)?” 67% of respondents said that their organizations were preparing.
Regulatory Compliance Standards
Regulatory compliance standards such as PCI-DSS, HIPAA, and SOX are simply meant as a baseline for security organizations. Unfortunately, they have set the groundwork for some organizations to partake in compliance-based strategies. This might not be a horrible strategy for some organizations that face budgetary or bandwidth issues, but it also does not focus on a data-centric model with the right programs around that data to secure unstructured sensitive data.
The EU GDPR is the most important change to data privacy regulation in 20 years. It completely changes the way that organization dealing with personal data will move forward. Not only does this provide a framework for how organizations should properly handle data, but it holds those organizations accountable.
Data at the Epicenter
A vast majority of sensitive data resides within unstructured data which makes up more than 80% of their data. Organizations must comb through this data to have a good pulse on their vulnerabilities. With the EU GDPR it will force organizations to be accountable for knowing and taking action with their sensitive data.
This does not mean that organizations should cease to partake in perimeter, network, database, or application security. Those are all pertinent pieces to a security program, but you must know what you are protecting. Protecting it all can become costly in tools, storage, and staffing.
How Does Your Organization Prepare
If you haven’t started mapping your security processes and tools to the articles in the EU GDPR, you should begin that first and immediately. Don’t wait until you hire the Data Protection Officer (DPO). When you are building a ship, you don’t hire a captain first, you hire an engineer. A lot of organizations are saying they want a DPO in place before they move forward, which is backwards and could stall their progress with such little time left.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Corin Imai is a Director of Marketing for STEATHbits. Corin began her career working on server, application and desktop virtualization, networking, software-as-a-service, and cloud computing technologies before delving into application and data security. In her current capacity at STEALTHbits, she manages the industry-leading StealthAUDIT suite that enterprises around the world depend on to defend their most critical information. Corin can be found on Twitter @corinimai