Canon’s EU infosec chief: ‘For GDPR, tech should be a leading factor, not a lagging factor’

7 Jul 2017

Canon’s Europe IS chief Quentyn Taylor. Image: Canon

In the latest in our five-minute CIO series, Canon’s European IS chief Quentyn Taylor warns that systems and technology, not only business processes, are critical when implementing GDPR.

The General Data Protection Regulation (GDPR) comes into effect in May 2018, bringing with it sweeping changes to how organisations across Europe handle data as well as hefty fines for failing to do so.

Quentyn Taylor is director of information security for Canon Europe. He has a wealth of experience in both the IT and infosec arenas and, in recent years, has focused his attention on building business relationships across the world.

‘While deleting a record sounds easy, it’s not. Many IT systems are written specifically to preserve records and so the prospect of selective deletion was never conceptualised at system design time. That will all have to change’

Taylor has driven Canon’s strategy to highlight the importance of document security and help business customers to minimise their security risk.

He strongly believes in educating users about the importance of a comprehensive, overall security policy that will allow Canon’s business customers to improve security in a cost-effective way.

During his career, Taylor has worked in a variety of industries for a number of organisations including outsourced service providers, internet service providers and internet businesses.

What are the big trends and challenges in your sector, and how do you plan to use IT to address them?

There are a number of big trends and challenges currently in our sector. GDPR, for example, is a huge change. We often think of change in the order of people, process and then technology. However, due to the change that the GDPR represents, it’s actually technology that needs to be thought of as a leading factor rather than a lagging factor.

For example, one of the key changes of GDPR is the right to be forgotten. From an IT perspective this can be an issue as companies now need to identify which systems the subjects’ records are in, and have the ability to delete the records from the systems.

While deleting a record sounds easy, it’s not. Many IT systems are written specifically to preserve records and so the prospect of selective deletion was never conceptualised at system design time. That will all have to change.

Linked to this, the requirement of privacy by design will also impact IT teams. Companies will have to be able to prove that they have been thinking about and incorporating measures to protect the privacy of data subjects upon conception of their system design.

Obviously, GDPR will have a huge impact on your industry. How has it affected your company’s IT strategy?

Honestly, it’s easier to speak in broad terms as GDPR is going to affect pretty much every company’s IT strategy. The adoption of GDPR will possibly have more impact than any other legislation to date. Previously, individual teams were able to make unilateral decisions around data hosting, data residency, support contracts, etc. Now, teams will need to work together in a data-centric, rather than technology or functional manner.

Whilst this will have a huge impact, I foresee that it will be a very positive change for the whole industry, forcing a more data-subject, more customer-centric view of the world from IT practitioners.

What are the issues the introduction of GDPR will bring and how will it affect CIOs and heads of technology in trying to achieve their goals?

Obviously, any change comes with some potential issues and in GDPR there is both threat and opportunity.

In terms of threats, there is the huge spectre of cost and the cost change, but on the opportunity side there is finally the chance to get control of data flows from end to end.

It will also encourage CIOs to grasp the control of the processes and truly move to being chief information officers and not just heads of IT. GDPR also specifically mentions that controls must be “best of breed” and, whilst this is still to be defined by the courts, it is wording that will allow the far-sighted CIO to mould the change into what they need it to be. It will essentially allow them to move away from twilight technologies and update their estate.

Can you give a snapshot of how extensive your IT infrastructure is?

Our IT infrastructure is quite large. As we are the Irish arm of a European network, there is an extensive arm of IT and comms that runs through our whole company.

How complex is the infrastructure? Are you taking steps to simplify it?

The infrastructure is complex enough. The good thing about the incoming GDPR law is that it forces companies to simplify their infrastructure. We have to think about how our communications can be easier. It needs to be crystal clear, especially when dealing with the public.

Do you have a large in-house infosec team, or do you look to strategically outsource where possible?

Yes, we have a significant internal infosec team but have outsourced our first-line information security teams. This was not done from a staffing perspective, but to enable 24/7/365 support as well as to ensure that, as this resource is shared, that threat intelligence from other companies can be easily applied to our estate.

What are some of the main responsibilities of your own role, and how much of it is spent on deep technical issues compared to the management and business side?

From a personal point of view, and whilst I come from a technical background, I tend not to get involved day to day with the deep technical issues. Then again I do run Canon’s ‘Tiger Team’ which gives me a chance to ‘get my hands dirty’ and dig deeply into issues. I do fully support and, indeed, want a technically focused information security team. I think that, in most cases, infosec issues are in the detail and only by being able to understand the technical detail can you manage an infosec function.

I worry that non-technical heads of security may not even know what they are missing when trying to investigate issues. Information security, like no other IT function, demands a certain level of technical competence and I wonder, if one does not have this, how progress is made.

Are there any areas you’ve identified where IT can improve? What are they?

The main area that improvement is possible is the evolution of the CIO from mere head of IT to chief information officer. GDPR will enable this change to be undertaken. It will allow IT to be far more in the driving seat as a partner of business. It will force IT – via the aforementioned processes such as privacy by design, data mapping and privacy impact assessments – to finally understand that they are a key part of any modern business. Not just the team that provides laptops and fixes projectors, but the team that is a key component, at the centre of a modern, data-savvy company,

What other projects do you have lined up for the year, and what will they contribute to the business?

One of the main projects I am driving is to bring the security and business teams closer together. Canon’s information security team has, for a long time, been in the lead on security responses to tenders and customer questions. But now, with our document services and business information services teams, we are leading the print security conversation. This year, Canon invested in being present at the InfoSec2017 trade show in Olympia, which was a combined effort of my team and that of the business teams. This year, our big focus is on bringing print security, and the opportunities it offers, alive for our customers to really develop and drive the message home.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years