Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell

gdpr or how to eat the elephant a bit at a time

  • Login to see the comments

CWIN17 telford gdpr or how to eat the elephant a bit at a time - andy powell

  1. 1. GDPR or ‘How to Eat the Elephant a bit at a time’! Andy Powell VP UK Cybersecurity Sep17
  2. 2. 2Copyright © Capgemini 2014. All Rights Reserved Owned by Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice This is NOT an Elephant?! It is in fact a vaguely purple Octopus!
  3. 3. 3Copyright © Capgemini 2014. All Rights Reserved Worried about GDPR, but not sure why? How to eat the GDPR Elephant a bit at a time! Andy Powell will … Simplify what GDPR really means and outline an Enterprise approach – so that even the CFO gets it! Explain the Threat – without hype – and why the Threat is not just from ‘Hackers’ but also in other forms! Explain how the Enterprise-wide principles of ‘Build, Watch, Proact and React’, as practiced in Medieval Warfare, and viewed through the lens of data management and Cybersecurity will help you be ready! There is NO silver bullet to dispatch the GDPR Elephant, just good old fashioned common sense, prioritisation of effort and a balanced programme of measures across people, process and tools!!
  4. 4. 4Copyright © Capgemini 2014. All Rights Reserved The GDPR Octopus Transparency Accountability Governance Consent Rights Safeguards Data Management Legal/Contracts Breach Reporting Security ‘ACCOUNTABILITY’ Appoint DPO Controllers/Processors 3rd Parties External to EU Understand Exclusions Etc...... Rights of: Being Informed Access Rectification Erasure Restrict Processing Data Portability Objection Automated Processing Audit ‘HOW’ Legacy GDPR by Design ‘Show Workings’ PIA The ‘WHO’ owns - Board OWN Plus Enterprise-wide Responsibility NOT Security/CIO Definition of Private Data In-built e.g Encryption, Access etc.. And Security Controls e.g Review SANS/CSC 20 v GDPR and adjust Data: Discovery, Analytics Store/Access/Dispose etc.. Owned by Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice
  5. 5. 5Copyright © Capgemini 2014. All Rights Reserved Some Quotes….! ‘… to correct the scaremongering and misunderstanding, we will not be looking to make early Examples to make a point on GDPR Compliance….’. Elizabeth Denham, ICO “The Government’s recent Cyber Risk Survey found that whilst 69 per cent of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation only half of businesses have actually taken recommended actions to identify cyber risks.” ICO “I want organisations to think to themselves: ‘we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect’.” ICO “To meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.” ICO …the Vendor/Supplier base is over hyping the Cyber Risk and GDPR impact to panic Business into investing in products and solutions they do not need….’ NCSC Leadership
  6. 6. 6Copyright © Capgemini 2014. All Rights Reserved The GDPR ‘Threat (s)’!  GDPR ‘Threats’  ‘Hackers’  Internal Readiness/Complacency  External/Legal Rights - Clients/Customers  Why?  Personal Data has value  Identity is the ‘new boundary’  Rights awareness.  Who?  Criminals – organized to various degrees?!  Employees and Clients/Customers  Lawyers - ‘There is money to be made by helping’!  Likely Impact on Business  Positive – ‘FINALLY! EXPLOIT YOUR DATA FOR BUSINESS ADVANTAGE’!  Negative – ‘FAIL TO PROTECT YOUR DATA – LOSE BRAND, SHAREHOLDER CONFIDENCE, CLIENTS and YOUR JOB’!
  7. 7. 7Copyright © Capgemini 2014. All Rights Reserved Countering the Threat – ‘a truly Medieval Approach’ BUILD Create a Keep (for precious things) and build security into your Castle (NOT just walls, but small rooms and staircases to contain threat once inside (it will get in!) • Locate and Track Precious Data • Segment Architecture • Target Security Controls • Think Resilience WATCH Constant Reconnaissance Outside and inside the walls • Sentries Looking Out and In • Understand the Threat • Impact of Change! • Adjust your Defence posture constantly PROACT Be proactive and unpredictable • Deny the enemy cover (Access Management) • Slow their advance (Cyber Hygiene) • Change where and when you patrol (Audits, Patching etc..) REACT Be prepared to act! • Be Prepared to Deal with a Breach • Tried and Tested Consent and Access Process • Test and Adjust Think laterally and like a human! CxO!
  8. 8. 8Copyright © Capgemini 2014. All Rights Reserved Build Think Data Life Cycle Management from the start and Design to support Secure but Ready Access 1 • Understand Where Your Data is and How it Flows • Compartment your Network and Data via Hard and Soft Means • Build Resilience into your Components and Links • Build to Change • Instrument ‘think laterally and indirectly, how could someone navigate through this and get at something vital for good or bad!”
  9. 9. 9Copyright © Capgemini 2014. All Rights Reserved Watch2 The key to Data Management and Security is constantly watching And adapting your data processes And security • Strategic and Specific Intelligence • Internal Threat Management • People • Data Flow • Patterns • External Threat Management • Recruit, Train and Retain • Users • Data managers • Security • Network “Intelligence-led, human in the loop, all process harnessed to manage the data for effect, securely”
  10. 10. 10Copyright © Capgemini 2014. All Rights Reserved Proact3 The 7 Ps! There is NO silver bullet. A combination of Training, Awareness Governance and Process, Underpinned by Tools! • People • Select, Train and Test • Awareness • Process • Governance • Consent • Access • Audit • Change Management • Tools • Patch • Run VM • Data “Mitigate the Threat by Preparation – Good Data Management and Cyber Hygiene is cheap!”
  11. 11. 11Copyright © Capgemini 2014. All Rights Reserved React4 Be Decisive, Meet Obligations, Be Ready for Changes, and Practice! • To Access Requests and Consent Changes • To Events and Breaches • Stop it and Immediate Forensics! • External – Client, Media, Peers, Authority • Internal – Lessons, Implement and Sustain • Share – Intelligence with Peers and Authority • Compliance/Mandate – Legal obligations
  12. 12. 12Copyright © Capgemini 2014. All Rights Reserved Synopsis, Bio & Picture Andy Powell - VP Cyber Security - Capgemini About Andy Andy is Vice-President (VP) for UK Cybersecurity at Capgemini with over 30 years experience in Defence and Security roles and recent senior leadership roles as CIO and CISO for the Royal Air Force, Joint Operations and as head of the Ministry of Defence’s Cyber Defence Operations and Network Operations. As VP for UK Cybersecurity at Capgemini Andy leads a business that covers all Sectors from Public to Energy and Utilities, and including Consumer, Private Sector and Finance – delivering a broad range of Consulting, Project and Managed Cyber Services. A Systems and Electronic Warfare engineer by training he describes Cyber as ‘ the constant battle of wits between attacker and defender where people, process and technology must converge to enable the business!’ 07891151835
  13. 13. 13Copyright © Capgemini 2014. All Rights Reserved Interrogation and/or Torture can commence!