Women’s Security Society Event: How Safe is your Data?
The European Bank of Reconstruction and Development hosted the latest WSS meeting on the 29th January in the City of London. It was a testament to the pull of the society that more than 80 people attended on this freezing winter’s night. Three expert speakers help to shed light on avoiding, dealing with and recovering from loss of data.
WSS aims to develop a confident security work force, in particular women. One of their key approaches is to encourage convergence: bringing together all areas of security; to help develop a depth and breadth of knowledge and contacts across all related disciplines, such as cyber, fraud, intelligence and physical security.
Speaker and WSS board member Suzanne Rodway, Head of Privacy, Royal Bank of Scotland, said, “I’m really proud to be on the WSS board, as I think it’s important we encourage more women to join this exciting area and help make it a more diverse specialism. I think we are unique in trying to bridge the gaps across the various security disciplines. I was honoured to be asked to speak at the WSS’ first event focused on privacy, as it’s a topic very close to my own heart. The convergence of disciplines within security was clearly demonstrated throughout the talks, with overlaps being demonstrated between privacy and cyber, information security & records management issues.”
Chair, Sue Seaby, opened the evening, thanked the hosts for their amazing hospitality and introduced the theme for the event, “Data protection is a hot topic at the moment with almost daily news of another breach and its impact. We are privileged to have three highly qualified speakers in this field.”
Simon McDougall, MD, Promontory began the presentations by comparing data breach management to a classical tragedy, quoting Aristotle, “We have laid it down that a tragedy … is an imitation of an action that is complete in itself, as a whole of some magnitude; for a whole may be of no magnitude to speak of. Now a whole is that which …has beginning, middle, and end.”
Following this analogy, he described The Beginning as the time to work diligently to prepare for a data breach by drafting policies and procedures, building checklists, maintaining lists of contacts, identifying stakeholders and developing and practicing contingency plans. He said, “The key to data breach management is good preparation. The aim is to ensure your reaction time is minimised every step along the way, all the right people are involved at the right times, and that there is always a focus on minimising the damage to anybody affected by the breach.”
He continued by aligning The Middle with your response. He advocates a structured and well-understood process, the first step of which is to identify an incident has actually occurred, to have a triage stage, followed by steps to respond, contain, recover, document, mitigate and review a breach in data.
The End is the recovery process which involves a number of activities to protect your brand integrity, customer relations, and staff morale.
He closed with another classical quote: To hope for the best and plan for the worst is trite but a good maxim. John Jay 1813
Suzanne Rodway spoke next on How to get the Board on board, or alternatively “May the Force be with you” © Lucas Films and Disney
To the delight of the audience, Suzanne likened the approach to protecting privacy with the struggles between forces in the Star Wars film trilogy. She asked the audience to consider themselves in their role of protecting privacy like Luke and to think of finding a sponsor like Yoda. Vader was similarly depicted as Snowden and the press. You get the picture!
On a more serious note, Suzanne said, “Protection of data in transit is vital. If organisations want to rely on encryption then they need to make it the default solution so that it’s easy for their employees. If you’re relying on employees having to make decisions and elect to encrypt then you’re going to be exposed. If data is automatically encrypted when leaving the organisation then you’re in a much stronger position. We need this functionality to be inbuilt in our every day tools like email and so need to support technological development in this area.”
She continued, “There are some simple steps you can take to assist in getting senior management to support your privacy (or other security) initiatives. Finding a senior sponsor is key and there are a number of tactics you can employ to get them on board. Appealing to both their personal and professional self-interest is a great start. The amount of press coverage of privacy issues is even greater in this post-Snowden world; so use examples of those who got it right and those who got it wrong. Align your approach to their strategic agenda – are they looking at big data initiatives, are they concerned about regulatory enforcement, are they keen to be early adopters of new technology etc? Once you have them engaged on the topic then reassure them you have a plan to address the issue you’re raising and be realistic about what that looks like.”
The third and final speaker was James Castro-Edwards, Senior Commercial Solicitor, PricewaterhouseCoppers, who presented on Practical Compliance: Addressing the Risks.
He firstly addressed the common compliance triggers for action, including corporate acquisitions and disposals or other major changes such as implementing new systems and discussed the impact of the EU General Data Protection Regulation, not least the risk of huge fines.
James followed this with some very helpful insights into how companies can help themselves to avoid the risks. Firstly, he outlined how it is crucial to audit for compliance, including maintaining data inventories, data flow mapping and developing an effective data protection system. Secondly he advocated appointing data protection officers who can be the point of contact for breaches and have an on-going responsibility for managing compliance, training and related areas. Thirdly, James highlighted training and how this must be delivered from doorwoman to chairwoman. He closed by emphasising that the most important thing is “Don’t do nothing!!”
All agreed that it was another useful and successful meeting for the WSS. Sue Seaby said, “The EBRD provided us with an amazing venue and their hospitality really helped the conversations flow after the talks – as always with WSS events, the networking was very successful with everyone having the opportunity to make new contacts.”
Simon McDougall said, “The WSS is a fantastic organisation. There is a breadth of disciplines represented here that is far beyond most events. There are so many aspects of security, from physical security to information security to law enforcement to privacy; the WSS brings all this together.”
You can join the Women’s Security Society via their website (womenssecuritysociety.co.uk). It is free to join and benefits include regular meetings, an online forum and monthly feature articles from one of the board members. The Society is open to all to apply.
Photographs: Sara Lincoln Photography