It’s now less than a year away. But from what we see, many companies in the United States are simply not in sync with the EU GDPR (European Union General Data Protection Regulation) requirement, which also requires an advanced security analytics plan. Even in Europe, only 52% were reaching the state of ‘Dawning Realization’ (per IDC Research) in last summer. And pleading ignorance simply won’t wash with EU regulatory authorities.
Any organization (U.S. included) dealing with EU citizen’s personal data must be EU GDPR compliant
Failure to be in compliance with EU GDPR could mean hefty fines: up to 4% of an enterprise’s worldwide revenue. Critical highlights include a requirement to notify EU authorities within 72 hours of a breach and a mandate to be able to prove your security approach is state-of-the-art (SOTA). If you have to be able to report within 72 hours, you’d better have a solution that is SOTA!
Because all of the requirements have not been finalized and defined, some organizations have adopted a ‘wait and see’ approach. That’s a risky strategy. Others are only beginning to become aware of the serious nature of compliance requirement. But time waits for no one. So if you haven’t rolled up your sleeves yet on this, let’s get a little more familiar with what’s going on. The GDPR principles boil down the essence of the legislation. It can be found within the Council of the EU’s 261 pages of articles on this wide-reaching mandate. It designates that controllers and processors of targeted EU citizen data must ensure:
- The pseudonymization and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
This is where advanced security analytics comes into play
The second, and bolded, bullet is where advanced security analytics come into play. While the word ‘advanced’ has an especially critical importance. This is where the key GDPR requirement directly relates to this challenge. Organizations working to ensure compliance must also be able to prove their security strategy is SOTA. The idea of assuming that applying traditional IAM or SIEM solutions with their manually defined legacy static signatures and rules, all constricted in their separate siloes within an organization, is simply not state-of-the-art. It’s legacy technology and outdated thinking. Identity is the new threat plane that these legacy security solutions are ill-equipped to handle.
Furthermore, drawing context from big data with mature machine learning models is SOTA. But only a select few companies can deliver these capabilities with established use cases. These are in UEBA (user and entity behavior analytics), identity analytics (IdA), privileged access analytics (PAA) and cloud security analytics (CSA).
Time to adopt a SOTA advanced security analytics solution
Budgets are coming under review while the EU GDPR deadline looms. Weighing these GDPR factors in favor of the next generation of advanced security analytics may help determine an organization’s success or failure in the future. Adopting a SOTA advanced security analytics solution aligns with EU GDPR requirements. As well as empowers an organization’s productivity and expands their security visibility across all of an organization’s siloed environments. Without it, the gray areas of unknown unknowns continue to grow, and the threat plane expands.
In my next blog on the looming EU GDPR deadline, the second in a series, I’ll go into more depth about what the financial penalty really means for multinational companies that are not compliant. It’s not for the faint of heart!
To learn more about the EU GDPR, check out our white paper on the topic: Advanced Security Analytics Applications in EU GDPR
Leslie K. Lambert
Chief Security and Strategy Officer, Gurucul