test post

Sixty years ago today, on October 4, 1957, the USSR laughed Sputnik 1, the first artificial satellite, into orbit around earth.  I was just four years old.

Catching the western world by surprise, this launch was the first visible sign of the Soviet Union’s growing supremacy in space technology.  I grew up in the midst of this space race, with utter fascination in all things related to space travel.

It was several years before I gave up my dreams of becoming an astronaut to focus electrical engineering!

We talk a lot about restricting what personal data we share on line, but is that sharing all bad? Tom Fishburne nails the issue with this week’s Marketoonist post.

We’re in a marketing catch-22. Consumers increasingly demand hyper-personalized experiences but are increasingly reluctant to hand over the data needed to make those experiences personalized.

This is pretty cool.  Oracle is making a free tool available to the public that shows the impact of Internet problems throughout the world.  According to a SiliconAngle article by Mike Wheatley, 

Available for anyone to use, Oracle’s Internet Intelligence Map constantly tracks the state of the Internet in real-time, allowing people to see how events such as cyberattacks and natural disasters impact on connectivity in different parts of the world.

 

Did you know, for example, that as I write this post, the two most impactful trouble spots in the world right now are in Congo and Comoros? Do you care?

This map starkly revealed my geographic ignorance.  I didn’t know that places like Eritrea, Wallis and Futuna and Lesotho even existed!  Yet there they are on this Internet Intelligence Map!  Enjoy!

Today’s light eading – the Cisco 2018 Security Capabilities Benchmark Study   This report, which “offers insights on security practices from more than 3600 respondents across 26 countries” shows that “defenders have a lot of challenges to overcome.”

The report introduction states,

Adversaries and nation-state actors already have the expertise and tools necessary to take down critical infrastructure and systems and cripple entire regions. But when news surfaces about disruptive and destructive cyber attacks—such as those in Ukraine, for example, or elsewhere in the world—some security professionals might initially think, “Our company’s market/region/technology environment wasn’t a target, so, we’re probably not at risk.”

However, by dismissing what seem like distant campaigns, or allowing the chaos of daily skirmishes with attackers to consume their attention, defenders fail to recognize the speed and scale at which adversaries are amassing and refining their cyber weaponry.

I love that imagery: “chaos of daily skirmishes with attackers to consume their attention.” Sounds like cybersecurity Whac-a-Mole.

So what is a company to do?  The report offers hope:

… defenders will find that making strategic security improvements and adhering to common best practices can reduce exposure to emerging risks, slow attackers’ progress, and provide more visibility into the threat landscape.

The 68 page report provides extensive analysis of the problems confronting us and numerous recommendations to address the complex security issue.  I like page 53, which states:

Faced with potential losses and adverse impact on systems, organizations need to move beyond relying solely on technology for defense.

Cisco research found that only 26% of security issues “can be addressed by technology alone”, while 74% “might also require people and/or policies to address.”

It is a complex world out there. We must think strategically, not just tactically killing each threat as it rears its head.

Where data breach regulations are in force in your state?

Check out the Snell & Wilmer interactive, state by state Data Breach Map.

Here we are, four days beyond May 25th – the date when enforcement of the Global Data Protection Regulation was to begin.  So far, no planes have fallen from the sky (remember dire Y2K warnings?) and no specific enforcement actions by the EU have been announced. Privacy activist Max Schrems’ organization noby.eu immediately filed $8.8 billion in lawsuits against Facebook and Google. But what of the EU regulators?  What are their plans?

Only time will tell.  I get the feeling that what will happen with GDPR enforcement is kind of like the Super Bowl.  There has been incessant conversation and speculation leading up to May 25th, and now the game has begun.  It will be played out on the field over the next months and years.  Then we will really know what will happen.

An Dark Reading article, “GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?”, includes some interesting speculation and advice from privacy experts.  I particularly like a comment in the article by  says Dave Lewis, global security advocate at Akamai Technologies. 

There has been an inordinate amount of focus on the potential fines. The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards.

If that accountability really improves, we should cheer GDPR, not live in fear of its dire consequences.

My two cents …

Yesterday’s blog post about a new version of Oracle’s Visual Builder Cloud Service reminded me of a little family story from days gone by.  Many years ago, when my oldest son was in seventh grade, he asked me, “What is Basic?” His school math book contained a few lines of Basic code at the end of each chapter.  With a bit of coaching, David soon had all those lines of code running on our IBM PC.

A few weeks later, before leaving on a business trip, I showed David how to use Microsoft Visual Basic. By the time I returned from my trip, he had given a GUI face to all those lines of code by wrapping them in a Visual Basic project.  And the rest is history … David got his first paid programming job at age 16 and is now CIO of Brock Supply, a leading wholesaler of aftermarket auto parts and supplies.  His LinkedIn profile highlights how far he had come from those first baby steps with VB: “Currently driving full ERP replacement (Microsoft Dynamics 365 for Operations), business intelligence, ESB integration, and security initiatives.”

Of course Oracle’s VBCS is light years ahead of where Visual Basic was in 1993, but the principles are similar – a WYSIWIG developer interface with facilities for creating code behind the scenes. But now, the apps are created for mobile devices and cloud services, not just Windows PCs.

What will the next couple of decades bring?

 

I find it incredibly ironic that EU regulators may not be ready to enforce GDPR when scheduled on May 25th.

A Reuters Business News article, European regulators: We’re not ready for new privacy law, reported:

Many of the regulators who will police [GDPR} say they aren’t ready yet. …

Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.

“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview.

After working with customers about GDPR compliance preparation for over 18 months, it has been amazing to me how ill-prepared many companies are, but it was really surprising to learn that the EU may not be ready either!  It all goes to prove that it is much easier to talk about something than actually do it.

 

With the May 25th enforcement date for GDPR looming before us, it is easy to focus on the huge investment companies are making in efforts to comply.  

However, an Information Week article authored by Dimitri Sirota, CEO and Co-founder, BigID, offers a brighter picture:

The International Association of Privacy Professionals estimates that Fortune’s Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

Sirota proposes tangible business benefits arising from work towards GDPR compliance (selected excerpts are shown):

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

Cyber insurance and civil action savings

Companies mandated to comply [with GDPR], and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs. …

A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

Minimizing response costs

Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

In conclusion, Sirota takes the optimistic view:

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

I am a fan of looking for business benefits of security and compliance beyond reducing risk.  I think the most important benefit that Sirota proposes is understanding the customer because of better understanding of their data.  I really like how he puts it:

Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Thanks for the insight, Dimitri!