Live at PrivSec Dublin’s Data Privacy, Security and Emerging Technology theatre, Glen Hymers, Chief Security Risk and DPO at Princes Trust, discusses how data practitioners can manage compliance and security with budgetary constraints.
He emphasises how it is key to spend money on a security awareness programme and then to make sure that staff buy-in exists.
“Try to make your policies as easy going and light as possible, but make those policies informative. Make sure they empower staff to be able to do their job,” Glen says. By way of example, staff should feel able and authorised to approach an unfamiliar person in the firm’s building and ask for ID, should that person not be wearing appropriate identification.
If an “IT expert” appears in the office to sort out a problem on your computer, do not disappear for half an hour to grab a coffee while that expert has free and open access to your computer.
Such examples represent practical action that staff can take on a daily basis to either weaken or strengthen organisational security. The key is making staff empowered and knowledgeable so that they take the right decisions.
“Your members of staff need to have that clarity when it comes to policy. If people don’t understand it or they’re not empowered, they’ll just ignore it or find ways around it,” he says.
Often, Glen explains, incidents happen because staff do not understand a policy that is in place. To help with clarity, Glen underlines the necessity of picking your framework of information security carefully. “Pick one framework, do not pick policies from one area and control sets from another. It doesn’t work. Make it as simple as possible”, he states.
Glen finishes by highlighting how a robust security awareness programme will deliver “in spades”, before finishing on a warning of the realities at play: “If you haven’t been breached it’s because you don’t know or because it’s just around the corner.”
In the Data Privacy Theatre morning talks continue with David Sinclair, Privacy Consultant at One Trust.
David underlines the importance of knowing where data flows are within your organisation and knowing where data resides to expedite inevitable consumer data requests. Thus, privacy and data governance can become built into your compliance strategy.
The approach is particularly important for GDPR professionals in their bid to adapt to the California Consumer Privacy Act (CCPA), and burgeoning privacy law suites in the US.
“Knowing what to do and when in each different region is very important in terms of how you deal with a potential breach or leak,” David says.
He underlines the vital role that automation can play in helping businesses to deal with things when data issues go wrong.
Solutions such as those offered by OneTrust take care of privacy, marketing, user experience, vendor risk management, incident and breach response, so that organisations can get things right first time.
The post #PrivSecDub: Managing compliance, security and budgetary challenges appeared first on PrivSec Report.