As part of Cognosec’s Partner Profile series, we speak to Thomas Fischer, Digital Guardian’s Global Security Advocate, to find out how it can help organizations comply with GDPR ahead of its implementation in May 2018.
Could you tell me a little about your role at Digital Guardian?
As Global Security Advocate at Digital Guardian, my role is to advise customers on how they can address their security challenges around the protection of company’s critical assets and intellectual property. Protecting data against a variety of threats, including those related to compliance, is a critical part of the discussions and advice that I discuss. I also work with existing customers to understand how their data protection needs are evolving, as the threat landscapes change, and introducing those needs as feed back to our product development lifecycle.
Could you briefly explain what Digital Guardian does and what it provides?
Digital Guardian’s mission is to provide ubiquitous data protection to organizations and corporations independent of the threat actor, data type, the system, application, device type or the point of access. Our unique data awareness and transformative endpoint visibility, combined with behavioural threat detection and response, provide a comprehensive security posture. We carry this data centric security posture across the network and into the cloud thus adapting to today’s borderless networks.
Our customers use Digital Guardian’s Data Protection Platform to secure both structured and unstructured data, everything from executive emails, to chemical formulas, to customer data. For more than ten years, Digital Guardian has enabled data-rich organizations to protect their most valuable assets with an on premises deployment or an outsourced managed security program (MSP). The company operates in more than 60 countries. Seven of the top ten global patent holders and seven of the ten largest global automobile manufacturers are our clients.
Does Digital Guardian work with companies of varying size and within different industries?
Yes, Digital Guardian works with SMBs through F100 companies across all verticals, globally, including Financial Services, Manufacturing, Healthcare, Government, Energy, Technology and Professional Services. Our flexible deployment model includes both an on-premises offering as well as a managed service offering, which is usually advantageous for smaller companies who have limited IT staff and resources.
With GDPR implementation coming into force in May next year, how can Digital Guardian help organizations in the compliance process?
The upcoming EU General Data Protection Regulation (GDPR) will be one of the strictest and most far-reaching data protection regulations ever passed, imposing tight data protection requirements and heavy penalties for non-compliance for any business around the world that collects or processes EU citizen personal data.
It’s imperative organisations identify, classify and protect sensitive data for EU citizens and residents. Digital Guardian can help by starting with a visibility assessment of what data exists within your environment and what types of personal data – particularly GDPR-regulated data – you are collecting, handling, and storing so you can have a deep understanding of your risk exposure and prioritize further compliance efforts from there. Once the data is discovered and classified, Digital Guardian can provide automated controls and protection policies to prevent that sensitive data from leaving your IT environment or ensuring that the data is used in the intended manner described in your data usage statement.
GDPR imposes a 72hr notification period following the detection of a breach, our forensic, auditing and reporting capabilities can provide the necessary tools and data to allow you to notify in a clearly and accurately.
Can you help organizations identify what data is covered under new regulatory requirements and advise on how the data is used appropriately?
Yes, absolutely. We would start with a visibility study, which generally begins with data discovery and classification, which are commonly offered as part of data loss prevention (DLP) platforms. It’s important that companies take an approach that scans data in all of its forms and states, including on workstations, servers, websites, and removable storage devices, as well as any data that is being hosted, migrated, and managed in cloud-based environments. In this discovery process it is important to ensure that all 27 member states personal data is covered, so we look for patterns and identifiers based on the variety of national ID number formats, passport, addresses, and phone numbers. But we should not just focusing on the latter, we will also focus are discovery process around unlikely suspects such as IP addresses.
Based on our findings we would then ensure the data is being properly handled by applying controls and enforcement policies on anything marked as sensitive GDPR-based data.
Is there still time for an organization to work with Digital Guardian to achieve GDPR compliance by May 2018? And does Digital Guardian provide ongoing support for its customers?
Compliance is a strong word. GDPR is not about compliance in its strictest sense but the regulation does describe activities a company must undertake to be protected and reduce the risk of fines. What this means for organisations is that GDPR data protection activities is an ongoing activity and a continuous process.
Definitely, companies should talk to us about working together on data protection in the face of GDPR. We are actively engaged with customers to help them discover, classify and protect their most sensitive GDPR data. We provide on-going support for all of our customers and can work to customize our data protection policies based on their environment and how they’re using the data.
And finally, in your opinion, what are the first steps an organization should take in order to achieve GDPR compliance?
As previously mentioned, Compliance has strong meanings in information security and typically focus on companies meeting some audit requirements. However, GDPR doesn’t actually mandate any auditing or activities a company must meet. GDPR is more about what fines and legal penalties a company will face if they have not done the necessary actions to protect EU citizens’ personal data.
GDPR explicit names accountability at the highest level of the organisation (CEO, DPO); so, a critical first step is gaining executive leadership and stakeholder cooperation to mandate and build a GDPR project. Having board level buy-in from the beginning is critical, as is appointing an executive leader; preferably the CEO. GDPR isn’t primarily a security issue nor is it all about IT – it’s a business problem that relies on cross-departmental collaboration from all stakeholders to be successful. Appointing a strong centralized GDPR leader with a core GDPR team across business units is the first step in progressing toward GDPR compliance; however, the core GDPR project team needs to be accountable to the board and executive leadership teams, with direction coming from the top down. With a critical first for the GDPR project team to be able to identify what, where and how of EU citizen personal data in the company and identify the primary data owners. Answering the following questions is part of those critical first steps in putting together a program to protect the data: What personal data is collected? Why was it collected (usage policy for example)? How is it being used? Where is it stored?