InfoSecurity – Can GDPR Support This Many Products?
Last week was arguably the most important European security conference of the year, InfoSecurity Europe in London. As with all such events, there are particular themes that emerge, capturing the issues and the mood at the time of the event.
This year there was a higher level of gravitas in the keynote speeches than previous years. Kicking off the event was the ex-CEO of Talk Talk who suffered one of the most notorious breaches in recent years, with the press at the time dubbing her “the Queen of carnage.”
This was followed by more tales of woe and foreboding from many different factions of the industry. I believe that a key factor contributing to the solemnity in the keynotes is the changing regulatory environment coupled with the on-going fear of impending data breaches. Labeled by some “The GDPR paradox” because of the seemingly impossible requirements set out and the huge accompanying fines.
The GDPR Paradox
One paradox is the requirement that organizations must know when they are breached, although surely breaches only occur when you don’t know you have been compromised.
The second aspect of GDPR breach requirements is that you report the breach within 72 hours. Firstly, if you don’t know you have been breached, you obviously don’t know that the requirement to notify applies to you. And secondly, there are not enough forensic investigators on the planet to scope and report each data incident with a 72-hour window.
GDPR stipulates that security should be appropriate to the risk, and the risk is getting fined ten million euros. The only way to realistically achieve GDPR compliance from a continuous monitoring perspective is to implement an Artificial Intelligence solution with automated responses.
Breaches follow common patterns. And it is alerts, indicators, and other signals falling through the cracks at various stages of these patterns or kill chains from either incorrect prioritization, lack of clarity, or failure to connect alerts together, that create the digital ooze for breaches to grow and develop.
What is appropriate security for GDPR? In reading the requirements it appears to be a system that can counter intrusions at every phase of the kill chain using every conceivable detection capability, utilising Artificial Intelligence to connect every aspect of an intrusion together, to then orchestrate a response to the attack, and enabling a comprehensive defence within 72 hours before the breach can cause the potential for harm.
This is indeed state of the art, which is the final remaining stipulation for security in the new regulation. If only such a system existed!
Infosec 2018 Trends
Perhaps the general angst over GDPR, or perceived angst by vendors looking to help companies comply, that drive record participation.
Taking a quick look at InfoSecurity 2018 by the numbers, we see that the event has doubled in size since 2016 in terms of products on show, and 2018 has been a huge leap up from 2017.
And a breakdown of the trends in each sector of technology in the cyber security space
However overall attendance is not seeing anything close to this kind of growth. In 2015 just over 15,000 security professionals attended vs an estimated 20,000 this year. Good growth to be sure, but not the doubling seen in the number of vendors.
Even with the spotlight shined by GDPR, it’s hard to imagine that all of the vendors hoping to capture a piece of the technology or services pie will get enough of a share to stay in business. But we’ll be back again next year to see for ourselves how many vendors survived, and how attendees have decided to address the GDPR paradox.