If you’ve been a privacy professional at any point in the last few decades, your head is spinning with the myriad of privacy laws and regulations in the U.S. and abroad. Some examples are the European Data Protection Directive of 1995, the strengthening of that directive in 2012, the French Data Privacy Law of 1978, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) of 2001, and last but not least, the U.S. Gramm-Leach-Bliley Act (GLBA) of 1999.
Security & Risk
Ever heard the saying, “The Cloud is just someone else’s computer”? This is one of the many arguments I encountered as I became an early adopter in 2010. While it is technically true, it misses the point: the inherent flexibility and benefits of the “Cloud” maximize the chances of differentiating your company from its competitors, especially in financial services.
Information Security can sometimes feel like death by documentation, like a bunch of red tape just to keep regulators and auditors at bay. Throw in differences in lexicon, and seeing how all the many pieces fit together can be quite difficult.
Getting everyone, practitioner and leadership alike, on the same page when it comes to terminology in the information security space is key. If everyone can speak the same language, a well-understood and well-orchestrated information security governance structure won’t be far off.
As data collection has increased, so has controversy. Most of this data has been willingly given by us users in the form of our computers, smart phones, and more recently, smart home devices, cars, and even refrigerators. International regulatory eyes have turned their gazes to some of these massive organizations collecting our data.
Many organizations know they must have the basics: hire a CISO, perform a risk assessment, and find security vendors to fill up the holes. Unfortunately, these are often mere boxes to check. Impact Makers’ former CISO Cathie Brown offers a few simple considerations in each of those steps that will strengthen your cybersecurity posture, like what to look for in a robust risk assessment and a trustworthy security vendor.
Organizational risk management is too often treated as a compliance issue with complex rules that result in a back office tracking of risks that don’t see the light of day. This presentation contrasts a traditional view of organizational risk management with an alternative view provided in a Harvard Business Review article by Robert S. Kaplan and Anette Mikes. This categorization of risk allows executives to understand the qualitative distinctions between the types of risks that organizations face.
Enhancing cybersecurity is critical, but there is a pervasive Band-Aid mindset causing organizations to commonly overlook the vital ingredient to any amount of successful security: culture change. Need a reminder why cybersecurity is at the top of so many lists? According
While most organizations have made some investments in each of the three building blocks of cybersecurity, many overemphasize “technology.” The most overlooked component are the “people,” which will actually make or break the effectiveness of your cybersecurity.