GDPR needs to be part of a larger conversation, says Dell’s Brett Hansen.
As a data security expert, Brett Hansen is like many others, endeavouring to help companies make sense of GDPR as the May 2018 deadline approaches.
Hansen is the vice-president of client software and general manager of data security at Dell, and has more than 15 years of experience leading business development and channel functions in the software industry, having previously worked at IBM for more than a decade.
Siliconrepublic.com spoke to Hansen about how US companies and beyond are handling things, and what CIOs and CTOs need to know.
Some firms are struggling
In terms of Dell itself, Hansen explained that the sheer scale of the company means it has been doing the spadework around GDPR for a long time now.
“We’re looking at network security, data discovery, data access, controls, mapping and governance. It’s a very complex set of regulations,” Hansen said. Therefore, a multinational company the size and scale of Dell naturally requires numerous elements to achieve compliance.
Multinationals in general have started their compliance journeys with a strong foundation, according to Hansen. “They are looking back and they are seeing if they have covered all of the existing regulations that are included in GDPR within their current practices, policies and technologies.
“Larger companies – ones who have a history of data privacy and protection – are well down the path.”
It isn’t all rosy for every organisation Hansen deals with, though. “A large number of companies that I speak with that are struggling with more elementary data security stuff.”
For firms still stuck on avoiding ransomware attacks and keeping malware out of their systems, things may be more difficult. “The intricacies of GDPR could be a bit lost on them.” Hansen said this does depend on the firm’s maturity and understanding of regulations.
Use GDPR to ask hard questions
Viewing GDPR as a looming threat is a mistake, according to Hansen. Instead, firms should see it as a way to ask foundational questions about their data policies: “What is our data security policy? Are there practices we want to implement? How are we ensuring that the security and protection of data throughout its life cycle? How are we ensuring that our employees practise good policies with regard to the security of data?”
At the same time, Hansen empathised with companies that may be feeling a little lost. “I’m talking about a mid-market company, maybe they’re in retail or transportation – their bread and butter is not data security.
“It can be daunting for them to look at and read the press reports of the next company who has been breached – oftentimes a multinational with even more resources than them – and feel a little bit like a deer in headlights.”
Forcing firms into good data hygiene practices
The good news from a US perspective, Hansen said, is that the GDPR for companies who are practising business in the EU is a “forcing function for those who have not to take some very solid steps forward in understanding the intricacies in ensuring good data hygiene”.
Hansen noted that the US is not by any means without data security frameworks, citing National Institutes of Standards and Technology (NIST) as a prime example, but confusion around GDPR lies in where exactly a firm should begin.
Although people are naturally worried about risks of fines and penalties, Hansen said this concern should be channelled into vital company-wide discussion. “Every survey we see is ‘CEOs and boards of directors are all worried about cybersecurity’, but there is a gap between being concerned and having an understanding of risk.
“That’s the thing about GDPR … a CIO has a very clear mandate to go and have a conversation with their marketing department, their HR, whoever else might be affected, to talk about how we need to mitigate risk together using good policy and good technology.”
Systematic road to compliance
Hansen posited that companies should be taking a systematic approach to achieving compliance, something he said not all are doing. Some ramshackle approaches are common: “I’m going to go and load new software here, I’m going to do this there.”
He explained that this scattershot approach will get firms nowhere, and that GDPR cannot be fixed by software alone. “I’m a technology vendor so this is going to sound weird coming from me, but my first recommendation is to not immediately go and buy my cool software.
“It is: evaluate your environment, understand your risk and then set together a strategy. That strategy cannot be created in a vacuum.”
In terms of key things to note, Hansen said data storage policies must be examined closely. “Data is collected, it is stored, it is typically manipulated in some fashion, analysed and then, at some point, ideally, it is sunset.
“Storing data indefinitely increases the odds of that data being compromised. Some data might be a very short storage time, but some might be years, could be decades, so you need to at least know, ‘OK, this is my expectation around this set of data collection.’”
Risk and encryption
As we all know, in terms of risk, it is mitigation rather than elimination that GDPR leads must strive for. “There’s nothing foolproof about cybersecurity, whether that’s due to an external attacker, an internal mistake or internal malfeasance – your goal is to try to reduce the risk of that occurring.”
A backup plan is also crucial, according to Hansen.
He stressed: “The best thing you can do to protect yourself is encryption. Encryption has reached a level of maturity where there is no excuse for not encrypting.
“There’s no impact on device performance; it’s not going to impede individuals who should have access to that data gaining access. What it’s going to do is reduce your risk if a device gets lost or stolen.”
Keep communication going
As well as encryption technology and other software tools, Hansen is a major proponent of employee education.
He noted that “people are people”, and pointed to a recent Dell survey of thousands of professionals, which found that while there is a strong awareness of the need to be accountable for data hygiene among employees, when it came to practising good techniques or choosing a path of greater efficiency to get their job done, “they chose the latter”.
He said this kind of circumvention of good practice can be reduced with continued education and discussion across the entire business. “The communication that needs to occur around the strategy and risk associated with your GDPR, your data security and your privacy policies is key.”
It’s a fine balance between two areas, explained Hansen: “There is a need to be implementing technologies that allow you to improve your data security risk, while not impeding the workforce from getting their job done.
“If you get in the way of the workforce, they’re going to find a way around you – like water. They’re going to find that crack, that way to break through your approach.”
On the whole, Hansen is optimistic that GDPR “is going to cause a higher level of discussion and investigation. For those who are talking but not doing yet, I would like to think that GDPR is a little nudge. It should further elevate the conversation”.