Technology, such as encryption and firewalls, can only go so far to protect an organisation’s data; culture is just as important, if not more so. This is according to Phil Bindley, CTO of The Bunker, who warns that organisations are fighting a losing battle if they fail to get company culture right. Data streams throughout organisations and is often used by everyone in some way. This means that without a cultural appreciation of how data should be treated, the risk to GDPR compliance remains high.
The GDPR is designed to better protect citizens’ data and harmonise legislation across Europe. The regulation brings a number of new guidelines for organisations in relation to Personally Identifiable Information (PII). In order to ensure a best practice approach to securing data is achieved, business leaders need to create a culture of information security by embedding sound processes within their organisations.
Phil Bindley, CTO of The Bunker, explains: “With the GDPR coming into force a culture of information security has a major part to play in ensuring firms are able to demonstrate and maintain compliance. Although technology is an important factor, what it fundamentally comes down to is people and processes. It’s not about building a bigger firewall, it’s about changing the way organisations and their employees behave and treat the data that they hold on behalf of their customers.
“Information security professionals have a huge part to play in creating this culture. They need to speak the language of the board so they can explain the commercial benefits of behaving in a secure way. Businesses need to instil sound practices and ensure all staff look through a lens of data security. It’s vital to have a complete picture of everything that has the possibility to impact security. Everyone within a business needs to think about what they do on a day-to-day basis to make sure they behave in a way that is beneficial to the company as a whole, this extends all the way to the boardroom. Only then can organisations achieve a best practice approach to IT security.
“The GDPR provides a framework that encourages organisation to evaluate whether or not they are behaving in a secure way. It’s a real opportunity to change the way that information security is approached and it should be welcomed by businesses. By embracing a culture of information security, organisations will be more competitive, can manage risk, protect their brand, and innovate in a controlled way. This in turn will allow organisations to compete at a European level; in order to trade with other European nations, organisations need to be compliant with the GDPR standard as and when it comes into existence. If business fail to embrace the changes they won’t be able be able to understand the associated risks. Businesses need to understand risks in order to make decisions about where to invest and grow.
“There’s a competitive advantage of working with a cloud service provider (CSP) that values security, especially when an organisation’s customers reside in sectors that constantly evaluate this, such as financial services and government. With the introduction of the Data Protection Officer, supply chains are going to be tested to make sure data is being handled in the correct way. Fundamentally, without a secure framework in place, people are going to be less likely to want to do business with you,” concludes Bindley.