InfoSecurity – Can GDPR Support This Many Products?

InfoSecurity – Can GDPR Support This Many Products?

GDPR FILast week was arguably the most important European security conference of the year, InfoSecurity Europe in London. As with all such events, there are particular themes that emerge, capturing the issues and the mood at the time of the event.

This year there was a higher level of gravitas in the keynote speeches than previous years. Kicking off the event was the ex-CEO of Talk Talk who suffered one of the most notorious breaches in recent years, with the press at the time dubbing her “the Queen of carnage.”

This was followed by more tales of woe and foreboding from many different factions of the industry. I believe that a key factor contributing to the solemnity in the keynotes is the changing regulatory environment coupled with the on-going fear of impending data breaches. Labeled by some “The GDPR paradox” because of the seemingly impossible requirements set out and the huge accompanying fines.

The GDPR Paradox

One paradox is the requirement that organizations must know when they are breached, although surely breaches only occur when you don’t know you have been compromised.

The second aspect of GDPR breach requirements is that you report the breach within 72 hours. Firstly, if you don’t know you have been breached, you obviously don’t know that the requirement to notify applies to you. And secondly, there are not enough forensic investigators on the planet to scope and report each data incident with a 72-hour window.

GDPR stipulates that security should be appropriate to the risk, and the risk is getting fined ten million euros. The only way to realistically achieve GDPR compliance from a continuous monitoring perspective is to implement an Artificial Intelligence solution with automated responses.

Breaches follow common patterns. And it is alerts, indicators, and other signals falling through the cracks at various stages of these patterns or kill chains from either incorrect prioritization, lack of clarity, or failure to connect alerts together, that create the digital ooze for breaches to grow and develop.

What is appropriate security for GDPR? In reading the requirements it appears to be a system that can counter intrusions at every phase of the kill chain using every conceivable detection capability, utilising Artificial Intelligence to connect every aspect of an intrusion together, to then orchestrate a response to the attack, and enabling a comprehensive defence within 72 hours before the breach can cause the potential for harm.

This is indeed state of the art, which is the final remaining stipulation for security in the new regulation. If only such a system existed!

Infosec 2018 Trends

Perhaps the general angst over GDPR, or perceived angst by vendors looking to help companies comply, that drive record participation.

Taking a quick look at InfoSecurity 2018 by the numbers, we see that the event has doubled in size since 2016 in terms of products on show, and 2018 has been a huge leap up from 2017.

Infosecurity Europe products metrics

And a breakdown of the trends in each sector of technology in the cyber security space

Infosecurity Europe 2018 industry segments

However overall attendance is not seeing anything close to this kind of growth. In 2015 just over 15,000 security professionals attended vs an estimated 20,000 this year. Good growth to be sure, but not the doubling seen in the number of vendors.

Even with the spotlight shined by GDPR, it’s hard to imagine that all of the vendors hoping to capture a piece of the technology or services pie will get enough of a share to stay in business. But we’ll be back again next year to see for ourselves how many vendors survived, and how attendees have decided to address the GDPR paradox.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton