Holistic Approach to Cyber Risk Governance in the GDPR Era

Good afternoon. Good morning, ladies and gentlemen, welcome to this. Copy. A cold webinar holistic approach to cyber risk governance in the GDPR era. This webinar is supported by tech democracy. The speakers today. My name is Matthias ARD, I'm lead advisor and senior Analyst Analyst with cooking a call and I will be joined by two great speakers from tech democracy. We have Ken FA with us who is chief architect, and we have got dev the global managing principle and founding leader. Before we start some information about a coal, the obligatory housekeeping notes, and a look at our today's agenda. ING Nicole was founded in 2004. We are headquartered in Germany with a team of international analysts spread across the world. Us UK, APAC, central Europe. We offer neutral advice and expertise in various areas to companies, to corporates, to integrated software manufacturers. And while I am was our original starting point, we are now working in the areas of information, security, GRC, and governance.
The business area is a quick look in research. We provide a wide range of strategic documents and reports. We have our leadership compass comparing vendors and market segments. We have advisory notes and executive briefs and executive views about the product we do events, and we will have a look on that on my next slide. And the third area is advisory where we provide vendor independent market expertise to customers like end users and vendors ranging from roadmap advisory and product and technology selection to maturity assessments events. There is a range of great cooking and coral events coming up. We have the EIC, the European identity cloud conference coming up in may actually commencing between the 14th and 18th of May, 2018 in Munich. We had the consumer identity world tour last year, and we will do that again because it was a real successful chain of events. And we will do that again in us and Europe and in APAC.
And that will be ranged from September to November this year. And we have the cybersecurity leadership summit in Berlin, also in November then talking of advisory, very short nod, and we are talking about GDPR today. Again is happy to help you in GDPR readiness assessment, understanding where you are with your organization. When it comes to preparedness some guidelines for this webinar, you are muted centrally. You don't have to mute and unmute yourself. We control these features. This webinar will be recorded. And that means that the podcast recording will be available tomorrow, along with the presentations as PDFs. And as we have a question and answer se session, the end, you can enter, enter questions anytime using the questions feature in the go to webinar control panel. And I really like to ask you to, to do so, so that we have some very good questions and your questions by the end of this agenda, I will start up with a introductory part called cyber risk challenges in an era of constantly changing and increasingly harsh data protection regulations.
And that will lay the ground for Ken file, who will then take over in the second part with his section called addressing cyber risk governance challenges in holistic fashion. So this will be the first two times 20 minutes, and then we will be joined by go as well for the questions and answer se session. And then we will get into more detail for your, yeah, for your questions and the discussion. So that's it for the introductory part. So I would like to start with my first presentation, which might be very, very short. It's a very, very quick introduction. First of all, as we are talking about the GDPR era, very quick overview in history, as it's only just a few more months to go till GDPR comes into full force, this is really just a reminder. What GDPR actually is. It is a, a European regulation before that regulation, each EU members, they had their own data protection laws and all these directives that the EU created had to be transposed into each national legal system, which ended up in very diverse and different national legislation.
The GDPR actually was designed to, to, to solve that issue and solve that problem. It came into force by 25, 20 5th of May, 2016, and it has a two years implementation phase, so that it means it's more or less dormant, but it comes fully applicable by the 25th of May, 2008 18. And it will be accompanied with augmenting national laws. So with the GDP answer, what was the aim is actually a harmonization at EU level. So no longer these different national legislations actually strengthen the update data protection standards to make sure that the laws are adequate to nowadays. And an important point is the European standards where have to be applied for all business businesses when they are operating in the EU or EA. So if we look at these actually points that we have to look at when it comes to GDPR, then just to, to show them all the first thing that we really have to know that it's really globally applicable as at least one European citizen is managed within your it systems.
Once this is the case, there needs to be legitimate grounds for the processing. That means that there is either a contract in place, which, which allows the processing of some of attributes of the data, or if there is additional information required from your side, from the organizational side, then there needs to be, for example, adequate consent and consent is one part of what we have when it comes to the extended rights of the data subjects, data subject, that is you and me as European citizens. These are extended and are vastly extended. And they also include, for example, the right to be forgotten to amend the data or the right to be notified about what is stored about you. Or if a data breach happens for many organizations, there will be the need to have a data protection office nominated. And that is something very new for many organizations, data breach notifications are an important point.
So once an organization learns actually that there is a data breach that needs to be notified at least to the data protection authority, and maybe even to the individual data subjects as well. There's the concept of the one stop shop when it comes to DPA. So if you're a multinational organization with more than one office in, in the EU, then you will be able to choose the DPA, the data protection authority within the largest within the country where your largest portion is located. And of course, when it comes to talking about GDPR, an important point is the point of administrative fines. So there is really a substantial threat of being subject to fines when it comes to not being compliant with the GDPR. So that's a very, very quick overview by far not complete, but just to give first introduction when comes to, to GDPR and where we are right now, two months to go, which is not too much.
So the idea for this webinar is to understand what needs to be done and how that can be consolidated into something that is really meaningful for an organization and for the data subjects and for the data protection authority. So doing the right thing is actually what we want to talk about today. So what needs to be done when it comes to implementing measures for being compliant to the GDPR. Again, we are all no lawyers, so this is also a legal part, but I, I think understanding the right thing to do can be also done in such a webinar to explain what needs to be done. And we actually divide that into two main columns. And these, this is on the one hand, the organizational column. So that really makes sure that your organization is well prepared for being GDPR compliant. And that is what is listed on in the left gray box.
It's really understanding your risk, risk exposure. So to execute a data protection impact assessment, this is not fully mandatory, but it really helps in understanding where you are. Maybe you need to adjust your organizational structure, for example, by nominating a data protection or officer a DPO, but also just to make sure that your staff is actually well well aware of what is, what is their duties. And, and that can be done with ex by executing trainings and raising awareness. And as no organization is usually on its own, you need to make sure that there are all contracts and policies and agreements in place that help you in the, in the communication with your partners along your supply chain, for example. So we'll really make sure if there's somebody else processing data for you have the right contracts in place, making sure that everybody knows what needs to be done.
On the other hand, we have the technical parts, and this is really something that we are looking into more in detail today. And these are, I can not only like I cannot enumerate all these points, but it's really important to actually do that all. So from actually understanding where you have personally identifiable information PII, stored and processed within your organization, that is actually really the first step to do to before you can even start thinking about data protection measures. So discover and document PI I, and we will come to this end document part in more detail. And also Ken will have a look at that. Really have the right documentation in place to provide adequate evidence to detect and document data flows, but also on the more technical part to yeah, have patches installed, to have the systems configured and securely whenever possible encrypt data that you're storing.
And of course control access. Once the data subjects give consent for data, then you have to make sure that this consent is actually directly mapped to access control. So that this really means it can only be used for the purpose given or the content given yeah. Protecting and monitoring or administrative accounts, sod rules, and the principle of least privilege and in the final step detect and contained threats. So really understand what happens in your network, what happens to your end points to your users. And if there are any threats, make sure that you can identify them, that you can respond to them and maybe even do the right steps afterwards when something has happened. So I've moved the right box to the left side, and I'd really tried to make sure that we understand what really are the right tools to execute adequate measures for achieving GDPR com or for getting closer to GDPR compliance.
So this is a, a short list of, of potential building blocks when it comes to implementing measures, controls, mitigating controls for achieving GDPR compliance, and that ranges from identity management and access management and access governance, understanding what people actually do with the, with the entitlements that they, but also to secure data transfer platform, encryption even ever possible web application firewalls and all these systems, they are important. And, and yeah, really important building blocks for getting to a technology platform, which is in a situation that can help you in creating that GDPR compliance. So what needs to be done when we have a bigger picture view on that, this is really a, a, a stepped approach for, for getting to GDPR compliance of making the right steps, again, starts with assessing your own organization, but the next step. And that is something that I've already described before, but really embed GDPR compliance into your, into your business processes and your systems.
So this is what I've mentioned before organizational measures and technical measures, make sure that whenever data, subject people, EU citizens hand over their data to you make sure that this is based on adequate legal ground. And that that is usually done by consent management. So gather consent document consent, and use this for processing of the data. And once that is revoked, you cannot long. You can no longer do that. I've mentioned data breaches. Everybody wants to prevent themselves from having a data breach. So you need to have adequate measures in place. And that is usually achieved by really having data protection and privacy by design, if possible in the, in the systems and by default in the systems, but be prepared also for the breach. So make sure that once the breach happens, you are in a situation that you can detect it, that you can notify the right people, the right organizations that need to be notified, and that you are prepared when it comes to having the right communication prepared, brief canned communication. Because once that happens, the last thing you want to think about is writing the right mail, have it prepared. And the last column here is really last pillars demonstrate compliance. And this is something that is really of, I importance. So it doesn't matter if you have a perfectly working solution that is actually GDPR compliant. You are not GDPR compliant, as long as you cannot prove that. So demonstrate compliant by having a framework complaints, have the controls implemented and have all measures that are required her to.
So we coming to my final slide already. So this is really the, the, the final step that I want to go before I hand over to Ken. So again, I again take this list, this mess of individual technological systems that are required for implementing the right technological measures. Although I think Ken will also talk about the organizational measures as well, that as they can be measured within a governance framework as well, but these are the systems and all of them, they have triggers, they have logs, they have communication in any way. They have dashboards reports. And all of this is something that actually all organizations have to look at. And if you have to look at the individual information from all of these systems, the most probably lost. So the idea is how can you pull that together into a single, and, and this is entitled holistic cyber risk governance approach.
So really what can you do to, to get there? So the idea is to put this into a single system, into a single framework that is able to yeah, to compile this information and to get to the, to right level of information, which is adequate for the individual stakeholders that you have, but that is also in a situation that it can actually achieve all these pillars that we've seen in the, in the slide before. So I've taken as an example, the, the missed cybersecurity framework, which actually combines a vast amount of different angles. When you look at the overall cybersecurity topic. And if we go from, from top to bottom, we have the identify detect response and recover cycle that would, of course, again, we reuse when we get back to the identify part. So really identify your, your assets, your business, your governance requirements, your risk assessment, your risk management strategy.
This is the first step you need to lay a foundation layer. The next step would be actually to protect your environment, your data, your data processing, and make sure that all the technical measures that I've mentioned before and much more adequately implemented. So this is the protect part, make sure that nothing happens, but if something happens that you are able to detect it. So you identify anomalies events by having a security monitoring in a continuous fashion, and also have detection processes that the right incidents are identified and reported. And once they are identified and reported, get, go get to the response process. And that is really something that requires an adequate planning, the adequate communication to, towards all involved stakeholders, but also the analysis process, the mitigation and the improvement part. When it comes to the next time, this could happen, really prevent it. So the detection and the protection part should grow over time and recover once it ha has happened.
And once you have responded, make sure that you recover from the individual events or threats or incidents that have been happening by having recovery planning at hand, having adequate communications afterwards. So to tell people, we had a, we had an incident and we, we improved the following measures, and this won't happen again in that, in that way. So it's really also improvements and communication. So this is the approach from, for getting from this mess to the left. Although it's almost seems like quite sorted, but this is really a huge mass of information to really, to get to a cybersecurity framework that helps you in, in getting the right information at the right time at your fingertips, in the ideal world. So, and before I hand over to Ken right now, I just want to make sure that you really enter your questions into the questions and answers panel. So if you have any questions for my part, please feel free to add them and we will get back to the questions later on. And now I would like to hand over to Ken, ask you questions during his speech as well. And we get to the Q and a afterwards. So I hand over to Ken,
Thank you very much Matthias I'm Ken I'm with tech democracy, I'm chief architect there. My background is primarily information security for 20 plus years. I've been a CSO sitting at your seat for quite a long, long time. And so, you know, I've kind of dealt with this year after year after year and, and this new regulation and that new regulation that comes along. And, and as far as being able to kind of do this in a holistic approach, that's one reason that I joined tech democracy was putting together, you know, a framework for not only assessment, but continual assessment and, and making sure you know, that we can do one to many mappings, many to one mappings, that sort of thing. There's no sense in having to reinvent the wheel every time a, a new regulatory standard comes down or, or, you know, the business changes and shifts just a little bit.
And you're left dealing with the data in just a different way. So what we're doing is like to show you a few things about how to be holistic about it, right? And flip to the next slide. This is Matthias slide from before. And, and the reason that I put this up here is let me move this over to the side so I can actually see my screen. Sorry about that. The reason I put this up here is to kind of demonstrate, you know, you have many, many, many, many, many systems in your environment that you're having to constantly do translation for and, and, and find the bigger picture and, and to understand all of that minutia on a day to day basis, right? So, you know, the 16 boxes here, what are you gonna do in order to demonstrate that, all right, I am GDPR compliant or I'm I'm well, on my way, as well as with my global organization, the, the umpteen other regulatory objectives that, that I have to comply with.
One thing that I'd like to have throw out there to folks, when we speak of frameworks, a lot of people, you know, will use nest or they'll use ISO. They're not necessarily frameworks. They, they are standard. They even have the word standard inner name. Unfortunately, you guys sitting out there and sitting in the seats are the ones that have to develop that framework. Luckily, you know, we've, with our years of experience, we've developed a cybersecurity framework that underpins and, and ties all of this stuff together. So you don't really have to, you know, worry, okay, this, this objective says, I'm running with scissors over here, you know, and, and, and the other one says the same exact thing. Now, how do I find out across my enterprise? You know, what it is that I'm doing and how am I dealing with all of these things? So the full cycle here, I love this approach, you know, identify, protect, detect, respond, and recover. That is a full cyclical approach to technology management, especially security technology management.
However, what we wind up with in a lot of cases is a point solution view and, and, and an individual system you into compliance readiness, right? We're having to take all these puzzle pieces and kind of consolidate that for effectiveness and completeness to see if we're meeting a particular objective in this case, GDPR. So you've got minutiae from your identity and access management systems, your, your encryption firewalls, your GRCs, your cloud access security brokerage systems, which, which are becoming very popular. And you're having to call that information on a minutia basis to see, you know, are, am I doing the right thing? Can I demonstrate it? Can I provide evidence? And, and, you know, how does that tie in one thing about any new regulatory objectives in, in my experiences in doing this is that often you've gotta look across all of your existing controls and compliance baselines, and you've gotta find the stricter of those or, or the strongest of those, and then apply those continually throughout the enterprise, or you're gonna be in violation in one particular place or another.
So one of the things, then I'll get into the framework here that we've, we've designed and, and we've implemented into a platform, but one of the things that you have to keep in mind, you know, moving forward is just that you've gotta know where your strongest, where your weakest, where you're making the most of your existing investments, where you can invest more. And that's based on, you know, a few different, and it's not just, you know, compliance and regulatory objectives that you need to make those decisions based on, these are some issues with, you know, kind of doing it in a piecemeal approach and, and as well as the whole time drain and, and, and the burn on, on your average security management staff and, and engineering staff to kind of demonstrate this stuff. So GDPR and, and many other regs they're concerned with the overall effectiveness of your program, not just individual pieces, it's not just okay.
You know, I have my, I have proper change control on my firewalls. Okay, great. You know, one check box. Okay, perfect. But are you compliant in other areas? And, and how is the effectiveness of your whole program, another key issue demonstrating effectiveness at this level, it requires a lot of triage research and individual interpretation for your effectiveness of, of your investments. So, like I said, again, you know, the whole, whole point solution view is kind of the thing of the past. And unless you like Excel spreadsheets and pie charts and, and doing all that good stuff. And, you know, if you love those things, which not, not very many people do, I'd say, stay with them. If not, you know, listen on one thing about constant reevaluation with all of these things, it doesn't lend itself natively to, to your changing business processes or the changing of the technology.
Like I said, cloud is becoming very, very big, you know, in a lot of business minds, if you were to look at it five years ago, you know, especially in, you know, financial services, are you going to the cloud? They're like, no, but your business needs to change your regulatory objectives change and your technology changes. So things get better. Things get a little bit more acceptable, or the risk becomes a little bit more acceptable and you wind up having to shift gears. Now that puts as, as interpret how all the stuff fits together. Another issue is with senior management, you know, and, and, you know, to have to sharpen the crayons because these are business folks, they don't understand security technology, right. They'll come back. How many times have you heard that from, from your senior management staff and say, Hey, what, you know, what are you talking about with this widget?
And going into the board and saying, Hey, we we're, we've decreased our number of vulnerabilities. You're gonna get, you know, just a blank stare from a lot of folks. And so, so, you know, one thing that I've had to do in the past is report to directors around the global separations in 27 countries. And we had approximately 20 or 21 independent legal operating entities. And so, you know, making that case, you know, on, on a decentralized basis and then making it to a point to where they all understand it, you know, completely is quite a task, holistic risk management. Now, what are we talking about when we start talking about holistic risk management? Well, it's certainly not point solution risk management. It's certainly not. Okay. We, we have 150 check boxes. Only 20 of them are important and, you know, and, and are gonna get us fined.
We need to, you know, do those only, but holistic risk management is taking all of that and putting it into one picture and doing a continual real time assessment of your security posture. You have to, you can't lose the ability to, to drill down and, and, and see, you know, how effective you are in one particular area. So that requires that you, you remain technology agnostic, right? If, if you're buying, you know, one particular, you know, solution provider or one particular security solution, chances are, they're gonna layer on the bells and whistles and try and get you to buy more product, but CISOs and, and security management, we buy things and we implement technology based on its effectiveness and how well it's going to do at that particular CA task or that particular use case that we, we subject it to. So holistic risk management will use a framework, inventory controls, pre correlated to industry best practices and regulatory objectives.
I know it's kind of a mouthful, but the essence of that is, you know, making things a little bit simpler, but not losing the details, right. Holistic risk management is not vertical specific. It's not, you know, okay, we have a HIPAA solution. We have a, you know, a FERPA solution. We have a GDPR solution. We have in this solution, we have a O C I E cetera, et cetera. And it applies the metrics to validate and demonstrate all of this effectiveness, our platform. I'm just kind of gonna go into this right here. We use cyber risk security and governance framework, which is a framework that we've developed. And I'll, I'll get into that in just a second, but, you know, over 25 years at doing this, we've, we've come up with, you know, I think a very, very, very effective way to demonstrate that you're doing the right things.
We provide end-to-end situational awareness, what's happening in your enterprise. We're vendor agnostic. You know, we can pull feeds from either file API database, WMI, LDAP, whatever the source is, we're holistic in realtime intelligence. And some of the things that we provide is an estimated financial risk exposure, which I'll get into, you know, very briefly here in a second, as well as breach ability compliance and se indexes. Now, those things are gonna tell you, you know, what is going on in your enterprise and, and the senior level folks we've found, you know, the CEOs and the CFOs and the chief risk officers and, and, and guys like that are more concerned about, you know, one, the compliance index and the breach ability index, which is a scale of one to five, how likely you're gonna be breached based on, you know, correlation to the framework, your regulatory controls and actually everything that's happening in your enterprise.
And then we're able to assign an estimated financial loss to that, right? So we use, you know, a, a, a very complex algorithm of calculations and that, you know, we will get from, from the customers when we, when we do the pre-populate populates, the framework that we have when we've devised is, is consisted of four service pillars, informed, secured, governed, resilient, all right, those service pillars will encompass all pretty much all of technology, risk management, everything from on the informed side that keeping, you know, informed of what is going on in your enterprise. And, and, you know, in your intelligence information, that's coming in the secured services is the actual security of the systems. Things like, you know, endpoint compliance, configuration, those sorts of things, governed services, includes things such as, you know, controlled baselines and, and GRC systems. And the resilient services encompasses not only how you react and respond to an event or your incident response plans and, and services, but also disaster recovery and business continuity and things like that.
And that is how well you are able to, you know, detect, respond and, and, and react to event in your enterprise. The technology part of that, we have six platform modules. So we have entity device, network platform, application, and data, and pretty much all data that flows through your technology systems in, in system security is, is gonna pass through one of those, right? You're gonna have an entity associated with that data. It's gonna pass through device along your network. Chances are, it will hit some, some type of platform and, and application, and then you have the actual data itself. So using, you know, the four service pillars and the six platform modules you have approximately 24 areas where technology could play a difference in, in as far as protecting that data.
This is just a representative sample of, of how things kind of, you know, rotate in a holistic fashion, right? So you've, you've got the business, which is gonna be more concerned with, you know, how informed they are and, and how well we're, we're correlating to not just it business objectives, but, but actually literal business objectives as to how they're doing business, the secured module, which, which deals primarily with, like I said, with, with the technology compliance we'll deal, you know, more with, within the governed aspect and, and risk within the resilience. These are just some of the example activities within those pillars of services. And I think I touched on some of them, you know, very briefly just before, you know, everything from, from infrastructure security and forensics and readiness evaluation, being under resilient to Absec testing and, you know, network security, testing, vulnerability scans, all of those systems are important, but it's more important. I think that you get the overall view of things, the whole picture and not miss anything, because you could have one system telling you, you know, one thing, and, and as a matter of interpretation, you're either gonna think you're effective overall or you're, you are ineffective overall, you know, just put things into the proper perspective, again, more of a, an integrated governance framework and, and how we do things and, and what those, you know, what those security service areas are.
One of the things that we've, we've done and that I've had to do over the past 20 something years is actually come up with the security metrics model, right? Metrics allow you to, you know, not just measure things, but it, it properly interpreted and, and carried through. It also allows you, you know, to tell a picture and to tell a story, right. And your folks at the senior level are gonna be concerned with, you know, what, what is the story, right? Your folks at the senior level are gonna have your top level questions, your top level questions, being things like, you know, are we secure enough for our business? If that, if I had like a, a dollar or a Euro, every time I was stopped in a men's room by a board member to say, and they say, Hey, are we secure today? It's, it's kind of, I'd be a very rich man, but, you know, are we making the right investments?
Are we investing enough? How are we in relation to our competitors? You know, those sort of top level questions that, that every security executive is gonna have to answer to below that, you know, you have the business and it level and the management level questions, you know, am I adequately staffed? You know, you look at, you know, some of the tax preparation services out there, right. I mean, you know, they really ramp up when the taxes are due. And then, and then you look at 'em later in the year, they've probably got five people, you know, on staff total, you know, globally Manning five buildings. So, you know, it allows you the ability to make the right management decision. And then below that you have the operational and implementation level metrics. Those metrics are, you know, the minutiae of things, right? The number of vulnerabilities, the number of port scans, you know, all of that stuff.
And those are good from, from the guy in the seat perspective and understanding, you know, where he needs to kind of invest his time aligning with those businesses, right? You you'll see the four service areas and, and how we do the metrics model is we, we do a bubble up rather than, you know, a filtered down. So all of that minion, all of those information that you're getting in your enterprise is already translated into those for silos to answer, you know, you know, the questions above that, right. Very, very simple there. As far as the translation goes, this is our risk and liability scorecard. And just a, a quick screenshot of that this, our risk and liabilities work hard is, is used for our financial liability estimator. Right? And we have you, you can see all the, the parameters in there from impact and criticality, you know, to integrity as well as, you know, some of the motivational aspects in there. And, you know, as far as, you know, when we configure and, and set up the system, this is very, very simple in order to assign risk, weight, and priority to various systems that, you know, based on what type of data that they're, that, that they're carrying. And so, you know, this will contribute to, you know, what we, we give as far as our, our estimated financial exposure index.
This is just a quick screenshot of, you know, our, our report manager for the executives, right. You know, you click a button, one of these buttons, and it's gonna give you the actual data calculations and, and, and answer the question first off, and then it's going to tell you, you know, what we use to, to measure and to validate that. So for example, here, click on, are we in compliance? Okay, well, yes, we're 98% compliant, and we have two failed controls among 164 total controls. And that, that one, those 164 total controls are just for this particular instance, you know, one, one particular framework or, or one particular regulatory objective, such as like GDPR, we have canned out of the box, we have GDPR, we have DFS 500, we have stocks GBA. We have, you know, all of these different regulatory regulatory and, and, and compliance objectives.
And we have those mapped into our framework. So, you know, that allows us to go very quickly to say, all right, you know, we already have this in place. It's 98%, you know, effective. Do we need to do more? If not, then let's try do an actual drill down into the data, if we do and find out where we need to do more or where we need to make, you know, an additional investment, or you can just go click in, click a few buttons in here and just, you know, do an existing mapping of what you're already using to a new, to a new framework and, and kind of fall where, or see where you're falling short or see where you're very strong at. The thing about it is, you know, we do a continual assessment of this and, you know, and, and there are, I'm not gonna say, you know, many frameworks out there that require that because most folks are, are kind of doing this, you know, as a one shot basis where they're, they're, they're hiring, you know, somebody to come in for a vulnerability assessment, which is basically only one piece of the puzzle, and they're losing the, the whole context of things were, were having to do that extra of, of the translation at the, at the upper level.
If you wanna see this in action, I, I, I really, really would love to, you know, suggest that you get in contact with us. You know, we'll do a, do a demo either with dummy data or, you know, we can prepopulate something, but, you know, the most effective way is to kind of kick the tires and, and see things in action, I think, and I've been tearing through this technology just for, you know, eons and, and one other thing just, just before we get into the questions, we're so serious about the underlying framework of this, that, you know, we've established the Alliance for cyber risk governance, which is to build a technology risk measurement framework. That is, is just as understandable as, you know, reputational risk, operational risk, credit market risk, all the things that executives understand. And we partnered with some of the biggest names, you know, within, within technology, everybody from rapid seven to ellas, to, you know, Rackspace. So we're very, very serious about, you know, getting people to understand what it is that we do on a day to day basis. And, and with that, I'll, I'll turn it over to Matthias.
Okay, great. Thank you very much. So, first of all, thank you, Ken, for this great presentation for our participants. Of course, we are coming now to our Q and a session. So still time to add your question, make sure you have provided all your questions through the questions paneled on your screen. We do have already some, some questions here, but there is space for some more. First of all, for the Q and a, we are also joined by Gordon Def global managing principal and founding leader of tech democracy. And let's start with a few questions. First of all, some, some very quick questions that arrived during my presentation. The first thing was a to which missed domain can we map GDPR awareness and training? For example, maybe, maybe I give a short shot at first and maybe can, you can add to that. If you look at the missed domains, we have these five identified, protect, detect response, and recover. And as GDPR awareness and training actually directly also maps from its requirements to, to site security as well. Not only, but also I would really say that in the, in the protect domain where training and awareness are, are really anchored there. So I think that really fits into the, in this domain of, of protect. What do you think, Ken,
Can you, can you repeat the question? It was breaking up, I'm sorry, Matthias,
Sorry to, to which nest domain can we map GDPR awareness and training? So I, I,
I would agree with you as far as protect goes. And, and like I said, as far as, you know, a lot of the, the supposed frameworks out there, I'm gonna call them standards. What you're getting with a lot of the standards is, is just, you know, a list of controls that you, you know, or a list of things that you must do it, it's not generally going to tell you how to weigh that to your business needs or, or how to, you know, how does that, you know, engage effectively, you know, across all the other must do items regard, is this, is there something you want add to that?
Well, that's absolutely true. So as far as GDPR goal, I think, and as my test has pointed out in one of the slides, the demonstration of compliance becomes very critical and across the board, no matter whichever module from nest or ISO, that you wanna adapt towards being compliant, it's, it's demonstration of that compliance holistically, that becomes critical. And that's the reason why we put it up in as, as a brand force segment matrix across those four domains of informed, secured, go resilient and map them across to give a holistic demonstrable view of compliance to, to your GDPR requirements.
Okay, great. Thank you. We have one other GDPR related question. I think this is a hot topic still. So, and we, maybe we can answer that very quickly. The question is in case of a data breach, what rights does the GDPR empower the affected person with? And if I remember it correctly, I mentioned before we all know lawyers, but first of all, the, the data subject rights are extended anyway. So there is not much added in case of a breach, except for you have in several cases, the right to be actually notified. So then you have the right to be notified without undo delay. I think that is the text of the regulation, but for any other rights, these are the rights that you have as a result from the GDPR. Anyway. So you have the right to have, to be informed, to have a look at the data, to correct it and to, to allow and disallow different types of processing, unless there are covered by the contract. So there is only the rights of being notified in my opinion, as a layman, all other rights are there anyway, maybe that's a very short answer to the GD PR point, but I don't think that there are many other rights that can be added during the, during the data breach aftermaths. You can be notified it has happened what has happened, which data was transferred. And what did the organization actually do to, to, to, to recover from that breach? Can or do you want to, to add something to that as well?
Go ahead.
I'm sorry, go ahead. Go.
And, sure. So, so to act to what Matthias just said, I think what's important. You are in a breach or before a breach is the availability of continuous actionable assessment capability, right? And, and that needs to trigger into some sort of a response or actionable even taking place, which is, which is more critical and how prepared you are to be able to get that actionable intelligence in place and, and in a continuous fashion.
Okay. Okay, great. Thank you. Then another question, which is more related to, to what you presented, can I, I think the, the, your platform comes also with the promise of, of achieving visibility and automating evidence in a kind of push button, fashion and reporting. Do you have experience from, from regulators with the results that you present through your platform? How is the response and how is the, the applicability of what is actually coming out of your platform for a reor when they say, give me evidence
From, from the regulatory perspective, because we don't lose any of the, the detail, right? The detail is still underlying. It it's just that we have, you know, a very sophisticated presentation layer that, that allows, you know, correlation at different levels. So from that perspective, I mean, it, it's been very, very well received. Everything from, from, from regulators to, you know, folks that are actually in the cybersecurity insurance industry. I mean, mean how many times have, you know, as a CISO, you get those whole checkbox or those checklists and, and, you know, and have to go down through all of that, that, you know, on a yearly basis. So it's, it's, it's been very well received in that respect. Gotham, do you wanna comment on that?
Sure. So every regulatory control or a standard control is met to an actual situation that either is violated or has passed that situational rule. So, so the evidentiary, the evidentiary requirements over there lead guide you right back to an exact situation, which is, which is making you in violation from an audit point of view. So the ease of being able to gather that information right down to the nuts and bolts of why a particular control fail has been something that has really hit home with some of these regulatory and auditors.
Okay. Yeah. Great. Thank you. I think that that is the big promise. And, and if you can have a, a report, a dashboard, but also can drill down. I think that is something that is really helpful. No matter whether the regulator comes in on a scheduled basis, you expect them, or you do not expect them. So they come here and you have to have a, a hoc insight into the system. Okay. Another question, some, some organizations say we already have a, a, a framework for compliance with GDP because it's only two months left. We are, we are already working on it and we feel quite fine. Can you platform help there anyways, Kim?
Yeah, I I'm, I'm, I'm gonna just jump feet first into this and say that you, you probably already have a framework that you've, you know, spent eons or, or a considerable amount of time fleshing out. What is that you need to do in order to comply with, you know, those, those checklists. Right. So, as I kind of said before, you know, a lot of 'em are standards. They're not necessarily, you know, frameworks. So that means that they've got a checklist of controls of things that you need to do and, and, and need to kind of gauge effectiveness on. We don't require you to throw the baby out with the bath water, you know, in 90% of the times, what you're gonna have from, from one framework or, or from one regulatory baseline to another is gonna be very much the same. And I use the, I use the, the term, you know, running with scissors that don't run with scissors.
It's very basic. A lot of folks understand that, you know, you don't do it. And, but, you know, in some cases you're gonna need the run with the, the ones that don't have the pointy tips on 'em that can only cut, you know, clay and crayon, you know, and that's, that's based on the business. And that says, Hey, you know, that's acceptable to me. So yes, we map very, very well to pretty much any framework that's out there because we allow the one to many mappings and the many to one mappings to be done. And Gotham, do you wanna comment on that?
That's that's I think you got most of it right over there. Again, I would just, again, point back off the important aspect of it's. Okay. You might have a framework, you might be compliant. You know, you are a checklist of controls or what have you, but the end goal is to be able to demonstrate that compliance and in a, and be able to do that on a continuous basis, if you wanna be aware of any, any, any violations during the due course of it, or at the point where you have to show compliance. So the ability to have, you know, something that layers on top of all those checklists of controls or frameworks of compliance that you have put to effect to, to, to check if you are real GDP compliant, then you need to be able to demonstrate that with a blanket on top of it.
Okay. One question you've mentioned this, this, yeah. This Excel approach, this very manual and very tedious and, and very long running approach for demonstrating compliance. Now, your platform comes with, with this promise of, of doing lots of these things for the organization, there must where's the complexity, this looks like it's complicated. How many people do need, do you need to operate that, to configure it to, to, to, yeah. To apply the, to filter it and to do all this care and feeding.
So what I'm, I'm going to say, you know, even though something can look complicated, that's just because it has, you know, a lot it's very rich and functionality, but it's, it's actually, it's minimal investment once, once it's set up and, you know, as far as the care and feeding goes, if you have new controls or something that you need to, to load in, or load new situations in, you know, those, those sorts of variables, or you need to just, you know, change, you know, the priority of a business process, it's, it's a few clicks away. So, you know, a large value that we provide is, is turning you complicated risk interpretation into something that's not only manageable, but it's effective. So we'll, we'll do the setup. And, and we come in and we do the setup based on your company needs and, and, you know, provide a very simple management overview that, that they need to do on, you know, on a periodic basis. I'd say Gotham, anything on that?
No, that's alright. Thanks. Yeah, that was perfect.
If a new regulatory requirement came out next year, would you provide the, the best practices and the additional filters and reports and the right button to push to get the right reports out on a continuous basis as a service, best practice included in the platform so that people can really rely on yeah, I'm, I'm, I'm compliant next year as well.
Oh, AB absolutely. And, you know, and, and, and part of the training that we provide is, is if folks kind of wanna one off that as well to kind of supplement, you know, maybe, you know, they're, they're, they're subjected to something at a local level, right. If, if you look at, you know, the, the, the regulatory landscape in I've used the us, for example, right. I mean, you've got GBA, you know, PCI cetera, etcetera, but then you also have a very large number of states that implement, you know, their own, like New York state has DS DFS 500 Massachusetts says 2 0 1 CMR 17, you know, and we, we do provide for those as an example, you know, a, a out of the box, you know, kind of control assessment and, and that's included in the platform, but let's say if you were to, you know, have something, you know, locally, that's not in that, it, it wouldn't be very difficult to either put in yourself, or we could do that as well with our professional services team.
Got right. And, and, and the, yeah, the way, the way the tool works is it has a big bucket of controls, which we call unified control bucket for, if you will. And, and, and chances are, if there's a new regulation comes and you can create a new custom regulation of your own, you can your own custom security policy and, and be able to continuously assess the effectiveness of that policy. Leveraging a platform. Chances are, if a new control, a new new regulation comes in, a lot of the controls are already being leveraged elsewhere that you could carry. So you can have essentially a one to many mapping, so you can use a control and, and, and map it to number of regulations existing or new, and create an independent bucket in itself that is being monitored.
That's kind of going back to that, running with scissors analogy.
Yeah. I, I did want, yes, I did want yeah. See your, but yeah, that's kinda what, what it's.
Okay. Last question, maybe with, with a short answer, although it's a large question, I assume many organizations have cm systems have GRC systems in place have lock collection platforms in place. Does your solution play nicely with those consume from them, provide information to them? Is this a, an integrated solution?
Well, I AB absolutely. You know, we have, you know, partners in, in play I'll, I'll use log as an example, you know, they're a core partner of ours from, from a GRC solution aspect. You know, RSA is a partner of ours. We, we're not trying to, you know, play in the sandbox of something that, you know, CISO is bought in order to be very, very good at that one particular objective, but there are differences, right? SIM they're very, very good at, at, you know, the minutia aspect of things and individual event aspect of things. But they're not very good at doing any sort of necessary translation to say that, yes, you know, that this event violated this control or, or this, this event has raised our, you know, our, our financial, you know, exposure. So, you know, from the SIM and the GRC perspective, and the GRC perspective is, is sort of a, a one point in time. Am I compliant with my control right now? Or, or am I not right? We, we allow that to be kind of translated at, you know, a more complete level and Gotham
True. So from an SI point of view, you know, there's a whole lot of analysis that goes into considering if an even is indeed an incident or not essentially shrinking the haystack to find that one needle. And that's what we do effectively. So we can draw from an S I, and, and have those situations detect that needle from that haystack of event that SIEM provides on an automated basis, a continuous basis. Now the whole continuous assessment of controls is another paradigm that makes us a differentiator from your typical run of the mill historical GRC solutions, where you have workflow driven, check boxes and modularized for different regulations. And, and you have to do control testing of each, you know, kind of regulation separately, where we can do it in one shot and in a continuous basis as well. And that is because we leverage this 24 point matrix, which normalizes the data across those six areas of concentration and, and four dimensions.
So the continuous assessment and the ability also to be able to balance risk versus stress. So if there is an issue that a situat, whether a situation fails, be it from a control point of view, or a breach point of view, you have the ability to certify to say that, okay, is this risk worth the time and effort and the money to be spent on? Or can I just trust this level of risk? And, and, and again, adapt to a situation. So all in all those, those, those are some of the capabilities that, so I would say we supplement those technologies rather than, you know, kind replace.
Okay. Understood. Thank you. So, so this is the end of the Q and a section, so thank you all for your questions and your participation in this webinar. We have some unanswered questions, and if there are any other further questions, please free to get in touch with us, either copy or call or at tech democracy. And the mail information will be available on our website. And of course, on the website of tech democracy, thanks again to Ken and Gotham from tech democracy for a great presentation and for sharing their expertise and insight in this Q a as well. Ken, do you have any final thoughts to share with our audience, Ken?
Well, I'm just, I'm just gonna go out there and, and say that, you know, as professionals we've, we've been through this many, many times, this isn't the first rodeo or the first fire drill, so to speak. So don't try not to get mired in, in minutia when you're doing this, at least, you know, when you're, when you're first going into it, you know, just keep your wits about you and, and you'll get through it just fine.
Great Gotham. Do you have something to add,
Just thank you for, you know, attending this very important topic of GDR readiness assessment. And if you want to deep dive into a platform and framework at a more granular level, feel free to reach out to us for a one-on-one demonstration of the platform, and we'd be more than happy to set that up for you. Thanks again.
Great. Thank you. So we would be happy to welcome all of you in another webinar soon. Now, of course, very much looking forward to meeting some of you in real life at one of our upcoming events and especially the upcoming coming EIC early may, just before the GDPR comes into force there, I've heard the rumors that we plan to have a dedicated GDPR panic room. So maybe this is something of interest for those who are still not prepared then. So that's it for today. Thank you for your time and your participation. Thanks Ken. Go have a great rest of the day and goodbye.