Gordon Morrison, director of government relations, McAfee
Gordon Morrison, director of government relations, McAfee

With just a year to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR. 

Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it's important that CIOs and IT directors not only focus on this critical deadline but also look beyond it. 

The GDPR present CIOs and IT directors with a once-in-a-professional lifetime opportunity to transform both their company's IT procedures and security capabilities, to future proof the way it approaches cyber and provides services. 

A British approach to GDPR 

While many organisations have been slow to prepare, GDPR will dramatically change the way companies globally deal with EU citizens' data. The new European legal framework provides rules that affect the full data lifecycle from collection, processing, storage, usage and destruction. 

While not prescriptive in the controls, the regulation requires organisations to implement appropriate measures to protect personal data. And failing to take the right measures could result in a heavy fine for unlawful processing, data breaches, or not reporting data breaches.

The UK government has vocally backed GDPR and how its hopes to use it to improve cyber-risk management in the wider economy. In the Cyber Security Regulation and Incentives Review, launched in late 2016, the government pointed to how the breach reporting requirements and fines that can be issued under GDPR present a significant call to action for industry. 

Once in a generation opportunity 

From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. Cloud, mobility and the advent of Internet of Things are driving this digital transformation, introducing new challenges that organisations must navigate to ensure citizens' and employees' data is protected. 

While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cyber-security and secure data management – bringing it to the attention of the C-Suite. 

CIO and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to their transform their organisations' approach to cyber-security and reposition IT as a function that enables business transformation and growth. 

Creating a culture of secure IT 

With the fear of hefty fines and concepts such as “privacy by design”, CIOs and CISO are likely to find themselves with full-company backing to create a culture of secure IT within the organisation, with a focus on protecting personal data – perhaps for the first time in a while.

This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. Due to the ease of procurement, the McAfee Labs Report found that almost 40 percent of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year. 

Sixty-five percent of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52 percent) of respondents reporting they have definitively tracked malware from a cloud SaaS application. 

For the first time, GDPR gives CIOs and IT leaders the authority to clamp down on shadow IT in their company, with the support of rest of the board who fear the ramifications of GDPR. 

Embrace the change 

The innumerable opportunities that digitalisation brings is introducing many new security and data management challenges. To mitigate these new threats, CIOs and CISOs must ensure that future processes are planned securely – especially as we embrace the increase in complexity, and migration to the cloud. 

CIOs and IT directors must use the power of GDPR to get and keep board level attention and support in introducing transformational technology and processes that will protect personal data now and in the future. 

Contributed by Gordon Morrison, director of government relations, McAfee 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.