Why Security and Compliance are Everyone’s Problem in the Wake of GDPR
Last month, we met the faces behind our Mitratech security team. But these people are more than just a security crew, they’re motivators with a single mission: to empower everyone to take responsibility for their own security and compliance.
With GDPR in full swing, we wanted to circle back with our own, in-house data security experts to discuss common misconceptions regarding security and compliance, why we should never take security for granted and what our company’s doing to make sure we comply with GDPR and protect our clients’ data all over the world.
Without further ado, here’s what Marc Kajiwara, Mitratech’s Director of Security and Compliance, and Dakota Wright, Security Analyst II, had to say on the subject.
Q: What are some common misconceptions about security and compliance and what do you wish more people could understand about it?
Marc: First of all, while we’re always happy to help, people can’t just rely on a security team to handle security. Everyone should be aware and everybody should be in charge of their own security.
Employees are an organization’s best protectors and everyone should feel empowered to protect themselves, and their company, like they would their own front door. Everyone should lock their computers and set up passwords, just like they’d lock their front doors.
Basically, we want everyone to feel like security’s a part of their life and to feel ownership for their own security. I want people to feel empowered as part of a security program.
Also, on a basic level, security’s not really technical or difficult. The more you understand how much you – as an individual – protect everything, the better off a security team will be.
I wish more people would liken e-security to how they do things in the real world. For example, don’t take candy from strangers, don’t accept packages from people you don’t know and don’t leave your home with the door unlocked. Many people disconnect from this basic common sense when they’re in the security realm.
Q: As a function of a product, security can sometimes be taken for granted. Why should we never take security for granted?
Marc: The truth is, security’s not always included. While it’s now generally thought of as something everyone should do, 5-10 years ago, this wasn’t the reality.
Security is like going to the dentist, we should be proactive about it. Like the dentist, if you keep going for regular check ups and cleanings, you don’t eventually end up with a bunch of root canals and other things that need to be done. However, if you wait too long, it’s much harder to add it in later than to bake it in from the beginning.
The next stage is to embed security into each step of the way for a product. All the way from the design – from baking in how to secure the product and what’s important, to baking in processes that are part of development. We should test, scan and validate each product as much as possible before we roll it out the door.
Think about it. When you get up in the morning, you shower, have breakfast, maybe get in your car. It’s routine. Security operations should be part of the routine. The more we do that, the better the security stance of a company will be. For example, if we set aside 10% of development time to make sure a product runs, we should set aside 10% of development time to test security.
Q: Can you talk a little more about your work with GDPR? What are you doing to make sure we’re prepared?
Marc: Honestly, Mitratech is over-prepared for GDPR. The alignment across marketing, sales and security, as well as the communication across the organization and the knowledge about GDPR has been great.
We work hard to make sure everyone knows where the documents they need are and who to direct someone to with a GDPR question. We want everyone to be able to say yes, we’re prepared, and we have the right processes in place.
Dakota: For GDPR, the first thing we did was create new policies to support it. We looked at the entire organization to see what data we have, where it is and where there were any holes where we needed to plug the gaps.
The biggest focus, aside from the project, is to make everyone aware of what they need to do. We also have a heavy communications focus and are really trying to make our employees – and our clients – aware. We have the GDPR Resource Hub to help communicate these changes to our clients.
Read more about our superheroes of security and compliance here.