Lack of user guidance leads to network gaps.
There is not enough guidance on how to adhere to regulations, and too many businesses are left to determine their own compliance.
Speaking at the UK Cyber Week conference in London, Luke Griffiths, information security consultant at Secarma, said the Data Protection Act “essentially just says implement appropriate technical and organisational measures, and then you need to do the rest and figure it all out for yourself.”
Griffiths said this is why security is so often misaligned, when we should be aligning information security management systems to a standard, “and if we don’t do that there will be gaps, and certain areas will undermine others and this will lead to conflict.”
In being better defined, Griffiths said this means defining policies, processes and practises so they are repeatable, and allow users to gain metrics and audit and compare results from. “Most of all, it is adaptive, so it can continually improve,” he said.
“If you do not conform to a management system and you’re doing the continual improvement yourself, you will end up finding these gaps in the future - and it becomes even more important to have closed them way earlier.”
He recommended users take steps to formalise their management system, use an external auditor to come in and “help you make sense of it.”
Griffiths also told the audience to take supply chain security more seriously, as he said “we want to be demanding more from ourselves, but even more from our suppliers.” This is because there is very little recourse in the event of a partner experiencing an incident, and users can face legal issues if there is a lack of a duty of care between parties.
He said: “Do your own due diligence and only onboard suppliers that meet your due diligence requirements. If they don’t [meet your requirements], you need to go to a contract and come up with warranties and conditions that allow you to take action, even if they fail in their information security obligations.”
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
