SlideShare a Scribd company logo

Boards' Eye View of Digital Risk & GDPR

Download as PPT, PDF
Graham Mann, profile picture
Graham Mann

The document emphasizes the significance of managing digital risk, particularly under GDPR guidelines, as essential for businesses to protect data assets and maintain compliance. It outlines responsibilities across the organization, stressing the need for a clear digital risk strategy that integrates security measures into business practices. Additionally, it highlights the evolving cyber threat landscape and the necessity for continuous review and education regarding digital risk management.

Business
Related topics:
Risk-Management digital-strategy
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Boards’ Eye view of Digital Risk & GDPR Graham Mann Managing Director & Co-founder CyberSpace Defence Ltd. International House, 24 Holborn Viaduct, London EC1A 2BN g.mann@cyberspacedefence.com Mobile 07714210433
Why care about digital risk? It makes good business sense It demonstrates customer focus It safeguards a key asset – data It underpins the business It secures IP and corporate secrets Increased governance = decreased fines
Drivers for digital risk Increasing importance of data and its relative worth Impact of personal data loss on people’s lives Action to address data risk at the governmental level – compliance [GDPR in Europe] Exponential increase in cyber attacks Ever-increasing fines for non-compliance with local governance Lack of an holistic approach to security within many organisations
The need for a digital strategy A plan or in the digital world a roadmap for the application of information and technology. This will inevitably include data and thereby have implications for data risk management. Critical to all businesses in this connected age Underpins business agility Enables good data governance by providing advanced notice of new data requirements or new processing requirements.
Digital ‘Risk’ Strategy Supports the Digital Strategy Digital risk is an organisation-wide responsibility Digital risk needs a clear goal and a plan It supports good governance [GDPR] Vital for boards to manage digital risk This is essentially about managing your data ho’s responsible? hat’s the relative importance? here it resides ho should have, and who has access?
Data can no longer be an afterthought Organisations are expected to protect data by design and default. In this context, by design means that whenever business practices, IT processes or physical infrastructures are conceptualised, maintaining privacy, and data security must be integrated at the outset. Requirement for data impact risk assessments to be made.
Basic Questions You’ll need to be able to answer some basic questions about your data: hat data is being processed? hy? y whom? or what purpose? ho is it being shared with? Can it be justified under GDPR or other governance
Digital Assets – Data Management GDPR Classification of data Storage, Encryption, Back-up and Removal ata retention policy here is the data? Access rights – who has access to the data and under what conditions? Data leaks –what’s the plan?
Risk Appetite Digital Risk spend v likelihood, impact & cost of a breach. Based on what data? GDPR changes established views t’s now about proving you did all you could to protect personally identifiable data. he tide has changed in favour of the individual reach detection has been brought into sharp focus Data must be a key part of the ‘risk management framework’.
Risk Appetite (cont’d) Critical to have an external review of Digital Risk to cross- compare against the internal Parameters to the digital risk decision Current security position Reasonable expectation of security Data strategy and plans External factors – types of attacks, sectors targeted, Need for business agility Investment [in security] need Governance
Organisation
Roles & Responsibilities Board responsibilities Senior management responsibilities Data Protection Officer (GDPR requirement in some circumstances) IT Team responsibilities Security Team responsibilities (if you have one) Employee responsibilities Executive Risk Committee [digital and physical] Security Working Groups Auditors [internal if you have one] Communication between key groups R, Legal, Finance, Security, IT, HR….. reach plan and procedures
The Board Must set the agenda on data governance and digital risk Need to determine which committees will have responsibility for reviewing the detail and implementation of data protection measures. Company Secretary has an instrumental role Reporting to the Board on all matters pertaining to GDPR, data governance and breaches.
The Human Element Education, education. education Social networking activity by employees Social engineering (Phishing) Pre-employment security checks Recruitment of cyber security professionals Outsourced Services Open environment for reporting potential data breach issues Communications
Digital risk Environment
Governance, Standards & Certifications It makes life easier adopting a standard like ISO 27001/2, Cyber Essentials, NIST, etc. If you haven’t already, you are strongly advised to adhere to a certification/standard A standard will provide structure to the cyber security protecting your digital assets You will almost certainly need to comply with GDPR - General Data Protection Regulation ompliance relating to personal data
GDPR – in a nutshell Covers personal identifiable data on European subjects held and/or processed by you or a body authorised by you. Fines are potentially eyewatering. If you suffer a breach you need to notify the authorities within 72 hours You need to be able to demonstrate compliance, so processes and record keeping are essential You’re jointly responsible for your service provider breaches Personal data: If you don’t need it, don’t keep it
Personal Data Individuals have the right under GDPR to: ccess their own data, or equest rectification or rasure of data; and he right to request a restriction to processing or o ask for data to be handed over for use by another processor. Are you geared up for this?
Risk Landscape (Cyber attacks and threats) Despite more money being spent on cyber security - $$$ A plethora of very clever cyber security solutions A huge base of highly-qualified cyber security professionals ……the risk landscape is worse than ever: why?
Well, Here’s Why… the readily available and cheap attack tool-kits the chronic lack of cyber security professionals the high rewards to the hackers and criminals; the insatiable drive for business agility; the sheer number of cyber security solutions; the complexity of our networks; the explosion in the Internet of Things …and an ever-increasing connected world.
The issue is compounded by.. Sector-based implications and associated risk levels Antiquated network/security architecture Supply chain risk implications (soft underbelly) Lack of sufficient digital risk due diligence in M&A No data-centric approach Too much reliance on IT, security people and a technical solution Organisations require a top-down approach to digital risk
Digital Risk Planning
Plan for an attack Response all-out ommunication Internal and external Defences Identification Forensics Strategy ...and if all fails insurance
Supportive Technology Technology isn’t the entire solution stablished suppliers v start-up technology echnology v Services endering issues Inclusive digital risk awareness/training programme Continuous assessments Acceptance that humans are the weakest link whatever technology you put in place
An inclusive approach Interaction between physical & digital risk [security] Convergence of digital & physical security Corporate structure – does it support the digital risk strategy? Digital Risk permeates every part of business and any plan must be inclusive to succeed. That means everyone
Fiduciary responsibility Can’t emphasise enough the boards’ role Need for a digital strategy and a digital risk strategy Protect your digital assets Sector comparisons Justification process ormula for allocations Return on investment Governance
Digital Risk Reporting Essential at various levels throughout the organisation Needs to be applicable to the subject matter Should enable issues to be easily identified [drill down] Linked to compliance/governance Must be relevant to the audience it’s addressing [simple traffic lights] Jargon buster Accurate and truthful
Public Trust Get your marketing people engaged GDPR is an opportunity to communicate with all you stakeholders. Be seen to embrace GDPR Winning public trust is worth the effort.
In conclusion Re-evaluate your approach, your structure and your systems in relation to digital assets/risk Digital risk must be a focal point of the business – develop a strategy It affects everyone and must encompass everyone Digital risk is fluid and needs constant review Recognise your defences are fragile - plan for an attack Embrace the changes that GDPR will bring

More Related Content

PDF
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
PPTX
Cybertopic_1security
Anne Starr
 
PDF
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
PPTX
MCGlobalTech Service Presentation
William McBorrough
 
PDF
M&A security - E-crime Congress 2017
EQS Group
 
PPTX
MCGlobalTech Consulting Service Presentation
William McBorrough
 
PDF
New technologies - Amer Haza'a
Fahmi Albaheth
 
PPTX
A guide to Sustainable Cyber Security
Ernest Staats
 
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
Cybertopic_1security
Anne Starr
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
MCGlobalTech Service Presentation
William McBorrough
 
M&A security - E-crime Congress 2017
EQS Group
 
MCGlobalTech Consulting Service Presentation
William McBorrough
 
New technologies - Amer Haza'a
Fahmi Albaheth
 
A guide to Sustainable Cyber Security
Ernest Staats
 

What's hot (16)

PDF
The Business Case for Data Security
Imperva
 
PDF
Enabling Science with Trust and Security – Guest Keynote
Globus
 
PPT
A Guide to Managed Security Services
Graham Mann
 
PDF
Cybersecurity solution-guide
AdilsonSuende
 
PPTX
ComResource Agency Solutions
Anthony Dials
 
PDF
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Digital Guardian
 
PDF
Business case for information security program
William Godwin
 
PDF
MCGlobalTech Commercial Cybersecurity Capability Statement
William McBorrough
 
PDF
Information Security Benchmarking 2015
Capgemini
 
PDF
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
PPT
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PDF
Business Continuity & Disaster Recovery Planning 02 - 04 December 2013 Kuala ...
360 BSI
 
PDF
Protective Intelligence
wbesse
 
DOCX
Task 3
BIBEKCHAUDHARYBScHon
 
PPTX
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
The Business Case for Data Security
Imperva
 
Enabling Science with Trust and Security – Guest Keynote
Globus
 
A Guide to Managed Security Services
Graham Mann
 
Cybersecurity solution-guide
AdilsonSuende
 
ComResource Agency Solutions
Anthony Dials
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Digital Guardian
 
Business case for information security program
William Godwin
 
MCGlobalTech Commercial Cybersecurity Capability Statement
William McBorrough
 
Information Security Benchmarking 2015
Capgemini
 
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Business Continuity & Disaster Recovery Planning 02 - 04 December 2013 Kuala ...
360 BSI
 
Protective Intelligence
wbesse
 
Task 3
BIBEKCHAUDHARYBScHon
 
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Ad

Similar to Boards' Eye View of Digital Risk & GDPR (20)

PPT
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
PPTX
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
PDF
CIR Magazine - Cyber Readiness, key to survival
Morgan Jones
 
PDF
eu-market-access-gdpr-fundamentals-by-risk-associates
Mohsin Termezy
 
PDF
2023 ITM Short Course - Week 1.pdf
DorcusSitali
 
PDF
Cybersecurity Rubicon: Emerging Threats
Kagrati3972
 
PDF
Cybersecurity op de bestuurstafel
SURFnet
 
PPTX
EU/US boards’ approach to cyber risk governance - webinar presentation
FERMA
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
PDF
4th Digital Finance Forum, Simon Brady
Starttech Ventures
 
PDF
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec
 
PPTX
Data protection within development
owaspsuffolk
 
PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
PPTX
Risk Product.pptx
Lalith Kumar Vemali
 
PPTX
Global Threats| Cybersecurity|
paul young cpa, cga
 
PPTX
Best practices to mitigate data breach risk
Livingstone Advisory
 
PPTX
The Need for Information Security (powerpoint)
drpiyushmaheshwari1
 
PPTX
Navigating-the-Digital-Frontier-A-Guide-to-Cyber-Security Surojit.pptx.pptx
ayushsarkar975
 
PPTX
Risk Product Management - Creating Safe Digital Experiences, Product School 2019
Ramkumar Ravichandran
 
PPTX
Cyber Safe Southwark
The Integrate Agency CIC
 
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
CIR Magazine - Cyber Readiness, key to survival
Morgan Jones
 
eu-market-access-gdpr-fundamentals-by-risk-associates
Mohsin Termezy
 
2023 ITM Short Course - Week 1.pdf
DorcusSitali
 
Cybersecurity Rubicon: Emerging Threats
Kagrati3972
 
Cybersecurity op de bestuurstafel
SURFnet
 
EU/US boards’ approach to cyber risk governance - webinar presentation
FERMA
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
4th Digital Finance Forum, Simon Brady
Starttech Ventures
 
Symantec Webinar Part 3 of 6 How to Tackle Data Protection Risk in Time for G...
Symantec
 
Data protection within development
owaspsuffolk
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
Risk Product.pptx
Lalith Kumar Vemali
 
Global Threats| Cybersecurity|
paul young cpa, cga
 
Best practices to mitigate data breach risk
Livingstone Advisory
 
The Need for Information Security (powerpoint)
drpiyushmaheshwari1
 
Navigating-the-Digital-Frontier-A-Guide-to-Cyber-Security Surojit.pptx.pptx
ayushsarkar975
 
Risk Product Management - Creating Safe Digital Experiences, Product School 2019
Ramkumar Ravichandran
 
Cyber Safe Southwark
The Integrate Agency CIC
 
Ad

Recently uploaded (20)

PPT
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
PPTX
operations management : demand supply ch
JayeshJaiswal23
 
PDF
Solaris Resources Presentation - Corporate August 2025.pdf
pchambers2
 
PPTX
Sales & Distribution Management , LOGISTICS, Distribution, Sales Managers
efranciscaantoinette
 
PPTX
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
PDF
THE COMPLETE GUIDE TO BUILDING PASSIVE INCOME ONLINE
Malcolm86
 
PPTX
CTG - Business Update 2Q2025 & 6M2025.pptx
HcTrSoros
 
PPTX
interschool scomp.pptxzdkjhdjvdjvdjdhjhieij
PrashantNagi1
 
PDF
Robin Fischer: A Visionary Leader Making a Difference in Healthcare, One Day ...
The lifescience magaizne
 
PDF
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
PPT
Lecture notes on Business Research Methods
obedgyan3
 
PPTX
Principles of Marketing, Industrial, Consumers,
efranciscaantoinette
 
PPTX
TRAINNING, DEVELOPMENT AND APPRAISAL.pptx
sy2773667
 
PDF
Tata consultancy services case study shri Sharda college, basrur
nityanema19
 
PPTX
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
PDF
Technical Architecture - Chainsys dataZap
Chainsys SEO
 
PPTX
basic introduction to research chapter 1.pptx
sangeethanagaraj8
 
PPTX
2025 Product Deck V1.0.pptxCATALOGTCLCIA
AndreaRominaHoyosSur2
 
PDF
Susan Semmelmann: Enriching the Lives of others through her Talents and Bless...
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PDF
Introduction to Generative Engine Optimization (GEO)
seoplus+
 
Lecture 3344;;,,(,(((((((((((((((((((((((
princessbliss09
 
operations management : demand supply ch
JayeshJaiswal23
 
Solaris Resources Presentation - Corporate August 2025.pdf
pchambers2
 
Sales & Distribution Management , LOGISTICS, Distribution, Sales Managers
efranciscaantoinette
 
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
THE COMPLETE GUIDE TO BUILDING PASSIVE INCOME ONLINE
Malcolm86
 
CTG - Business Update 2Q2025 & 6M2025.pptx
HcTrSoros
 
interschool scomp.pptxzdkjhdjvdjvdjdhjhieij
PrashantNagi1
 
Robin Fischer: A Visionary Leader Making a Difference in Healthcare, One Day ...
The lifescience magaizne
 
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
Lecture notes on Business Research Methods
obedgyan3
 
Principles of Marketing, Industrial, Consumers,
efranciscaantoinette
 
TRAINNING, DEVELOPMENT AND APPRAISAL.pptx
sy2773667
 
Tata consultancy services case study shri Sharda college, basrur
nityanema19
 
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
Technical Architecture - Chainsys dataZap
Chainsys SEO
 
basic introduction to research chapter 1.pptx
sangeethanagaraj8
 
2025 Product Deck V1.0.pptxCATALOGTCLCIA
AndreaRominaHoyosSur2
 
Susan Semmelmann: Enriching the Lives of others through her Talents and Bless...
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Introduction to Generative Engine Optimization (GEO)
seoplus+
 

Boards' Eye View of Digital Risk & GDPR

  • 1. Boards’ Eye view of Digital Risk & GDPR Graham Mann Managing Director & Co-founder CyberSpace Defence Ltd. International House, 24 Holborn Viaduct, London EC1A 2BN g.mann@cyberspacedefence.com Mobile 07714210433
  • 2. Why care about digital risk? It makes good business sense It demonstrates customer focus It safeguards a key asset – data It underpins the business It secures IP and corporate secrets Increased governance = decreased fines
  • 3. Drivers for digital risk Increasing importance of data and its relative worth Impact of personal data loss on people’s lives Action to address data risk at the governmental level – compliance [GDPR in Europe] Exponential increase in cyber attacks Ever-increasing fines for non-compliance with local governance Lack of an holistic approach to security within many organisations
  • 4. The need for a digital strategy A plan or in the digital world a roadmap for the application of information and technology. This will inevitably include data and thereby have implications for data risk management. Critical to all businesses in this connected age Underpins business agility Enables good data governance by providing advanced notice of new data requirements or new processing requirements.
  • 5. Digital ‘Risk’ Strategy Supports the Digital Strategy Digital risk is an organisation-wide responsibility Digital risk needs a clear goal and a plan It supports good governance [GDPR] Vital for boards to manage digital risk This is essentially about managing your data ho’s responsible? hat’s the relative importance? here it resides ho should have, and who has access?
  • 6. Data can no longer be an afterthought Organisations are expected to protect data by design and default. In this context, by design means that whenever business practices, IT processes or physical infrastructures are conceptualised, maintaining privacy, and data security must be integrated at the outset. Requirement for data impact risk assessments to be made.
  • 7. Basic Questions You’ll need to be able to answer some basic questions about your data: hat data is being processed? hy? y whom? or what purpose? ho is it being shared with? Can it be justified under GDPR or other governance
  • 8. Digital Assets – Data Management GDPR Classification of data Storage, Encryption, Back-up and Removal ata retention policy here is the data? Access rights – who has access to the data and under what conditions? Data leaks –what’s the plan?
  • 9. Risk Appetite Digital Risk spend v likelihood, impact & cost of a breach. Based on what data? GDPR changes established views t’s now about proving you did all you could to protect personally identifiable data. he tide has changed in favour of the individual reach detection has been brought into sharp focus Data must be a key part of the ‘risk management framework’.
  • 10. Risk Appetite (cont’d) Critical to have an external review of Digital Risk to cross- compare against the internal Parameters to the digital risk decision Current security position Reasonable expectation of security Data strategy and plans External factors – types of attacks, sectors targeted, Need for business agility Investment [in security] need Governance
  • 12. Roles & Responsibilities Board responsibilities Senior management responsibilities Data Protection Officer (GDPR requirement in some circumstances) IT Team responsibilities Security Team responsibilities (if you have one) Employee responsibilities Executive Risk Committee [digital and physical] Security Working Groups Auditors [internal if you have one] Communication between key groups R, Legal, Finance, Security, IT, HR….. reach plan and procedures
  • 13. The Board Must set the agenda on data governance and digital risk Need to determine which committees will have responsibility for reviewing the detail and implementation of data protection measures. Company Secretary has an instrumental role Reporting to the Board on all matters pertaining to GDPR, data governance and breaches.
  • 14. The Human Element Education, education. education Social networking activity by employees Social engineering (Phishing) Pre-employment security checks Recruitment of cyber security professionals Outsourced Services Open environment for reporting potential data breach issues Communications
  • 16. Governance, Standards & Certifications It makes life easier adopting a standard like ISO 27001/2, Cyber Essentials, NIST, etc. If you haven’t already, you are strongly advised to adhere to a certification/standard A standard will provide structure to the cyber security protecting your digital assets You will almost certainly need to comply with GDPR - General Data Protection Regulation ompliance relating to personal data
  • 17. GDPR – in a nutshell Covers personal identifiable data on European subjects held and/or processed by you or a body authorised by you. Fines are potentially eyewatering. If you suffer a breach you need to notify the authorities within 72 hours You need to be able to demonstrate compliance, so processes and record keeping are essential You’re jointly responsible for your service provider breaches Personal data: If you don’t need it, don’t keep it
  • 18. Personal Data Individuals have the right under GDPR to: ccess their own data, or equest rectification or rasure of data; and he right to request a restriction to processing or o ask for data to be handed over for use by another processor. Are you geared up for this?
  • 19. Risk Landscape (Cyber attacks and threats) Despite more money being spent on cyber security - $$$ A plethora of very clever cyber security solutions A huge base of highly-qualified cyber security professionals ……the risk landscape is worse than ever: why?
  • 20. Well, Here’s Why… the readily available and cheap attack tool-kits the chronic lack of cyber security professionals the high rewards to the hackers and criminals; the insatiable drive for business agility; the sheer number of cyber security solutions; the complexity of our networks; the explosion in the Internet of Things …and an ever-increasing connected world.
  • 21. The issue is compounded by.. Sector-based implications and associated risk levels Antiquated network/security architecture Supply chain risk implications (soft underbelly) Lack of sufficient digital risk due diligence in M&A No data-centric approach Too much reliance on IT, security people and a technical solution Organisations require a top-down approach to digital risk
  • 23. Plan for an attack Response all-out ommunication Internal and external Defences Identification Forensics Strategy ...and if all fails insurance
  • 24. Supportive Technology Technology isn’t the entire solution stablished suppliers v start-up technology echnology v Services endering issues Inclusive digital risk awareness/training programme Continuous assessments Acceptance that humans are the weakest link whatever technology you put in place
  • 25. An inclusive approach Interaction between physical & digital risk [security] Convergence of digital & physical security Corporate structure – does it support the digital risk strategy? Digital Risk permeates every part of business and any plan must be inclusive to succeed. That means everyone
  • 26. Fiduciary responsibility Can’t emphasise enough the boards’ role Need for a digital strategy and a digital risk strategy Protect your digital assets Sector comparisons Justification process ormula for allocations Return on investment Governance
  • 27. Digital Risk Reporting Essential at various levels throughout the organisation Needs to be applicable to the subject matter Should enable issues to be easily identified [drill down] Linked to compliance/governance Must be relevant to the audience it’s addressing [simple traffic lights] Jargon buster Accurate and truthful
  • 28. Public Trust Get your marketing people engaged GDPR is an opportunity to communicate with all you stakeholders. Be seen to embrace GDPR Winning public trust is worth the effort.
  • 29. In conclusion Re-evaluate your approach, your structure and your systems in relation to digital assets/risk Digital risk must be a focal point of the business – develop a strategy It affects everyone and must encompass everyone Digital risk is fluid and needs constant review Recognise your defences are fragile - plan for an attack Embrace the changes that GDPR will bring