It might be nearly two years since the General Data Protection Regulation (GDPR) came into force, but it remains a frequent topic of conversation. What has been so positive about GDPR, is how effective it has been on pushing the matter of compliance into mainstream consciousness (Amongst end-users as well as businesses).
Consumers now have a much better awareness of the responsibilities that organisations have in terms of protecting their data. Plus organisations, in turn, are recognising the value of making their position on compliance clear to their end-users. Forward-thinking approaches to compliance are not just about doing the work behind the scenes – they are about having clear and upfront communication of that work.
Many of the discussions and seminars focused on the importance of using tangible business data to drive security decisions, rather than relying on a one-size-fits-all approach parachuted in from outside the organisation or reacting to the latest cyber threat headlines.
As the cyber threat landscape becomes increasingly sophisticated, dynamic and complex, organisations must resist the temptation to panic, or to implement the latest cybersecurity tools and techniques without clear-headed consideration of their infrastructures and processes. Organisations’ abilities to accurately assess their own security and risk posture – and to implement protections accordingly – have never been more critical.
As always, third-party risk management was a prominent topic. There was much discussion on overcoming one of today’s most common security and privacy challenges, underlining the importance of identifying priorities before, during and after vendor procurement.
After all, two-thirds of data breaches occur thanks to insecure or poorly managed third parties and vendors. Yet traditional third-party risk management methods are heavily reliant on spreadsheets, incorporating cumbersome and error-prone manual methods. As well as lacking the agility, which is essential as trends such as cloud computing, artificial intelligence and the Internet of Things dramatically extend the number of third parties to which organisations are connected. We expect to see even higher uptake of centralised, automated third-party risk management solutions over the coming months, as well as more considerable attention paid to processes such as effective information gathering from third parties.
Theo Botha, Head of Cyber Security and Information Security at Which? Consumer’s Association delivered a talk on PCI DSS and security strategy for a maturing estate, including the process of implementing a constructive PCI DSS culture. ‘Dejargonize, clarify and embed’ were his three key steps.
This talk resonated powerfully with us. The risk and compliance industry is saturated with acronyms and ever-evolving standards – many of which were key topics of discussion at PCI London! Technical language cannot be avoided when implementing security, risk and compliance tools and processes – but when it comes to communicating those processes to staff and building organisational awareness of compliance, discussions need to be centred on business goals and customer needs. Humanising compliance, in other words, is critical for organisations wanting to implement a genuinely constructive PCI culture. Again, we highly recommend watching Craig’s presentation on ‘How to Centre your PCI Programme Around your Business Objectives’ to explore this further.
Perhaps above all, PCI London underlined the ongoing challenge for organisations of all sizes and sectors to keep up the momentum with compliance programs and operations. Standards are continually evolving – and rightly so – but this can be overwhelming – which is precisely why SureCloud aims to create a single, centralised cloud-based platform for all governance, risk and compliance processes. Momentum must be underpinned by technology which gives all stakeholders real-time visibility into the organisation’s risk and compliance posture.