Stealing shamelessly from the language of Gartner’s Hype Cycle, the ‘trough of disillusionment’ is when something – a technology or product category – has been over-hyped and under-proven, and subsequently, the target audience switches off. We’ve all seen the charts, with a rapid rise to the ‘peak of inflated expectations’, followed by an equally steep fall from grace.
Is GDPR over-hyped?
We’re currently somewhere around the ‘trough of disillusionment’ with the new European data privacy legislation – the GDPR – due to come into force next year. CISOs have been bombarded with information from vendors masquerading as ‘experts’ on the subject, most of them focusing on the more negative aspects of the new legislation – such as the potential to be fined 4% of turnover for not disclosing a breach quickly enough – and we’ve now reached a point where these messages are completely missing their target.
One the one hand, this is an entirely natural process and, looking at the next phase of the hype cycle, you’d expect that we’ll soon settle into a more sensible, measured cadence of conversation about what steps CISOs should be taking to meet the GDPR conditions and protect their businesses at the same time.
But in the case of the GDPR there is now a real danger that the trough of disillusionment might lead to too much inertia, for too long. And if that happens, and we start to see breaches that perhaps could have been prevented, the authorities will be sharpening their knives looking to make an example of those early, high-profile stories. Make no mistake, the fines are potentially crippling.
Protect customer data for your own interest
The problem with with investing in technology primarily for compliance reasons is that it’s a grudge purchase. You do it because you have to, or because someone has told you you should, rather than because you’ve identified the need and convinced your board that you have the answer.
So perhaps we should start looking at the GDPR from the point of view of ‘carrot’, rather than ‘stick’. Why is it in your interests to start the process of considering where you need to invest, and prioritize accordingly? Could it be that demonstrating that you have invested in defense in depth solutions to protect your customers’ data might become a strong source of competitive advantage?
The GDPR has a distant cousin in the US in the form of the New York State Department of Financial Services (DFS) Part 500, to which ‘affected firms’ need to demonstrate compliance by February 2018. Where the GDPR provides fairly broad brush guidelines on how to protect personal data, and is driven more by the rights of the individual to privacy, Part 500 actually details what technologies should be put in place in order to achieve the same end game. Things like systems that enable trust-based authentication are pretty sophisticated technological mandates that show the need for properly thought-through defense in depth to prevent the theft of personal data.
CISOs only have a year left
With the GDPR coming into force in May 2018, these two initiatives are running on parallel tracks. We might be able to regain the attention of CISOs around GDPR if we dispense with the stick approach, and instead point to the benefits of some of the ‘next generation’ technologies that can help them protect their businesses and build future customer loyalty.