MEA Q1 2018

24 MEA MARKETS / Q1 2018 , Tarek Jundi, Managing Director, Middle East & Turkey at McAfee LLC, explains how the impending GDPR regulation is an opportunity for organisations in theMiddle East to improve their cybersecurity posture GDPR: Data-Protection Soul-Searching, Not Just Compliance With just a couple of months to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR. Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it. Once-in-a-Generation Opportunity From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. Cloud, mobility and the advent of Internet of Things are driving this digital transformation, introducing new challenges that organisations must navigate to ensure citizens’ and employees’ data is protected. While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management—bringing it to the attention of the C-Suite. CIOs and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to transform their organisations’ approaches to cybersecurity, and reposition IT as a function that enables business transformation and growth. This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. According to a recent McAfee Labs Report, almost 40% of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year. 65% of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52%) of respondents report that they have definitively tracked malware from a cloud SaaS application. For the first time, GDPR gives CIOs and IT leaders the authority to clamp down on shadow IT in their company, with the support of the rest of the board who fear the ramifications of GDPR. Better LateThan Never – Getting Started on the GDPR Journey There are specific requirements in the Regulation—reporting breaches, reviewing processing in advance, making sure vendor contracts have particular language. But GDPR makes a larger and more fundamental ask: That each company look carefully and studiously at its environment, evaluate the data it holds, and “implement … measures to ensure a level of security appropriate to the risk.” It’s a sort of data protection soul-searching designed to protect people and their data from harm. And this perspective challenges organisations to embrace the spirit of the law and be accountable for it, not just to tick a box. “Appropriate” and “adequate”— tough words in a security context—are found repeatedly in the GDPR. The regulation suggests that “(i)n assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” That sounds like a basic risk assessment. But what should you consider in this high-stakes risk assessment, and how do you get to where you can say you have appropriate security? Remember: This isn’t legal advice—each company has to decide for itself what it needs to do to comply with GDPR but I would suggest you consider these steps as ways to get started on the journey: