I recently created a course on the Global Risk Academy outlining the requirements of GDPR (https://globalriskacademy.com/p/gdpr ). My objective was to guide organizations, other than those in the EU, to understand what they need to do to be GDPR compliant. Having immersed myself in the GDPR I came to realize it represents a quite different perspective on cyber security than currently embraced by many cyber security professionals in the US.
The GDPR explicitly places privacy security requirements front and center. This places an onus on organizations to protect individuals information that is in their possession. In the US security requirements have primacy, which puts the onus on individuals and organizations to protect their own assets. This differing perspective of Privacy vs Security as driver is not just a semantic. It represents a fundamental difference in how to address the cyber exposures that we all deal with.
Let me explain. By focusing on the privacy of individual’s information the EU has made a priority that others need to protect individual’s information in their possession. This takes the pressure off individuals to secure their own information while letting the EU bureaucrats believe that they are doing something.
While in the US the focus is on technical security which provides organizations and individuals with a structure that if they follow they will be safe. It appears that responsibility for protecting ones privacy remains with the individual.
Both approaches ignore the cyber exposures that individuals and organizations face every day because of their own behaviors. Some examples include the use of ‘PASSWORD’ as a password, not changing default settings on various devices, not performing updates on various devices, and believing that smart technology will protect you.
All the technology in the world cannot protect an organization from ill-informed personnel or willful arrogant behavior.
We strongly recommend that you consider addressing all your cyber exposures. Not sure what that means or how to do it? Try our course understanding cyber exposure at the Global Risk Academy (https://globalriskacademy.com/p/cyber-exposure).