Peer to Peer Magazine

Summer 2019: Part 2

The quarterly publication of the International Legal Technology Association

Issue link: http://epubs.iltanet.org/i/1150262

Contents of this Issue

Navigation

Page 37 of 63

P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 1 9 39 Internal IT Can't Keep Pace Even before the onset of massive data breaches and regulations, traditional internal IT departments have struggled to keep pace through no fault of their own. There are well documented and defined ways to design, build, and maintain secure data centers and to develop, deploy and advance high-business value applications in secure environments for end-users. However, most organizations do not have the ability to do this in a sustainable way. Why? There are extreme pressures on IT due to lack of funding, finding IT talent, and general organizational will to sustain quality IT infrastructure which prevent this from happening. IT is most likely viewed as a cost-center versus an innovation center and a bevy of new regulations will serve to enforce that view. Regulations Add Significantly to Development Backlog Let's look at the GDPR as an example of an international regulation that has had significant impact in the U.S. The GDPR effects any organization that processes data regarding EU individuals, necessitating compliance provisions for U.S. organizations, forcing significant changes to all aspects of an organization in how it treats personally identified information or PII. Specifically, data subjects have a right to know when and how personal data is collected, for what purpose, and for how long. Also, data subjects are entitled to have the ability to restrict processing, know where the data is kept, collect it in a portable fashion and have it deleted. Similar regulations are coming to the U.S. in full force. This creates a significant impact on IT. Many IT organizations already struggle to have current data flow diagrams (Records of Processing and Data Flow Diagrams) for existing systems; having these for those focused on processing PII specifically for this regulation can be way beyond the team's capabilities. In addition, having to create new application functions to request, process, document and store compliance records to facilitate data subject rights as defined in GDPR can also be beyond the team's bandwidth. But it gets worse. IT also needs to manage PII in backups, offsite recovery systems and printed reports. And if a data subject requests deletion of their data you have 30 days to comply with documentation. An already underfunded and overstressed organization must support this significant new initiative while at the same time keep existing new application initiatives underway to support business needs. Typical expenditures by IT organizations is 80 percent on operating expenses (simply maintaining systems) versus 20 percent on capital expenses (adding net new value with new application development). Demands of regulatory compliance will continue pressure on IT without significant new ways to attack these challenges. What to do? So, what are you to do to achieve cyber safe systems from a business and security process perspective? What is the pathway to take advantage of non-obsolescent and easily adaptable infrastructure to achieve compliance with the ever-changing regulatory landscape? Make Security a Key Element of Corporate Culture The ability to develop, implement, and maintain high secure corporate infrastructure is hard. Beyond the daunting task of simple execution of everything required to be a secure organization, firms and corporations must instill a vibrant and deeply embedded security culture. Many of us have been involved in the creation of detailed security policies and plans that have resulted in finely honed tomes of brilliance only to see those policies partially or haphazardly implemented due to either lack of execution or poor understanding. For the most detailed, complete and current security policy to be effective there must be constant and consistent development and nurturing of a security-aware culture within an organization. Most organizations today carry out the basics of building a security policy, communicating it, training employees and encouraging people to report incidents but few go to the next level to incorporate it into the daily culture. • Implement a week per quarter where each meeting, regardless of topics starts with a three minute "security moment" where an attendee discusses an ad-hoc security topic. This brings a regular reminder that instills vigilance while also perhaps providing ongoing education for all who attend the meeting. • Encourage real-time, non-retaliatory security "coaching". For example, encourage employees to tell other employees when they leave their desk and don't lock their desktop applications, leave sensitive material open to view, or fail to properly classify email. • Hold security days, luncheons or other specific events where the focus is security oriented. Bring in outside professionals to discuss security war stories from the field to bring knowledge and awareness. Raise Visibility In the case of GDPR and upcoming regulations that are more specifically focused on U.S.-based organizations, there are and will continue to be significant financial impact for non-compliance. If you have not already done so, the time is now for action on existing systems and to begin new application initiatives with a mindset to conformance with regulatory requirements. The GDPR and CCPA are good models for understanding what is required from a compliance

Articles in this issue

Archives of this issue

view archives of Peer to Peer Magazine - Summer 2019: Part 2