The election is over, the Conservatives have won, and Boris Johnson is promising to deliver on his pledge to ‘get Brexit done’ by the 31st January.
What does that mean for the average CISO in relation to their professional duties?
According to a new report from Forrester, How To Manage Brexit’s Impact: CISO Edition, the key conclusions are:
Firstly, firms must examine the legal basis For UK- EU data transfers. The report notes that the UK has made plans to adopt the UK General Data Protection Regulation (UK GDPR) alongside the existing Data Protection Act 2018 to stay aligned with EU data protection rules. It’s not clear if the EU will regard this as equivalent to its own regulations as the EU says that it won’t make that final data adequacy decision until after the UK leaves - and even then it may take some time to resolve.Consequently firms must verify if the legal basis for data transfers is still valid after Brexit and plan for the necessary changes today.
1) Move activities from the UK to an EU-27 country;
2) implement technical measures; or
3) create binding corporate rules (BCRs) or model contract clauses that will permit the transfer of data to a GDPR-inadequate UK.
Also, data transfers to non-EU countries often happen through standard contract clauses or BCRs but post-Brexit most of these rules and regulatory frameworks will go, leaving UK firms uncertain on their way forward. So companies must
1) be clear today on where their data is going and
2) verify the legal basis for transfers to each specific region.
Secondly, mobility restrictions will hit security hiring as current freedom of movement, which permits wide mobility for EU security professionals, will come to an end. CISOs struggling to hire qualified personnel for security functions with capabilities in the UK and the EU will find it harder to fill critical positions from within the EU and may need to look further afield. Forrester also notes that it will force security leaders to be more realistic about the level of skill and experience they expect from prospective job applicants and thus reverse some of the self-inflicted elements of the shortage.
Other concerns include:
Potential disruption at ports could delay hardware security deliveries for projects up to six months after Brexit, which should now allow more time than normal for these goods to clear enhanced customs checks at ports.
Cisos will need to check for any operational impacts to managed security services contracts. If you plan to continue using an MSSP’s UK delivery center for services that involve EU resident data post-Brexit, you must validate the legal basis that they will use to transfer any EU citizen’s data, possibly by inserting model clauses for data transfers if needed or if the service provider is unable to support data hosting or service delivery from one of the EU-27 countries.
The UK will cooperate and participate less in Europol and the European Cybercrime Centre on an operational level.
Authorities like Ofgem and Ofcom will no longer be authorised to act as the single regulator across the EU), and additional incident notifications may be required.
Responding to the potential impact on skills availability, Stan Boland, CEO of FiveAI, said in an email to SC following the election result: "It’s vital that the Conservative government preserves what’s good about the UK tech sector, and helps to make it great. We encourage our political leaders to support an open and well-funded sector that can foster the iconic global tech companies of the future."
Ritam Gandhi, director of Studio Graphene, adds: "The UK’s tech sector has been fundamental to the country’s economic success. Brexit could damage this, which is why the newly elected government must ensure it is protecting the interests of this sector. I hope this newly elected government looks beyond Brexit and maps out their vision for tech startups through to large corporates sooner rather than later. This will ensure we can remain a global hub for tech innovation and growth."