While at InfoSecurity Europe last month, I had the pleasure of interviewing Christopher Graham, the ICO UK Information Commissioner. I was giving a talk on the concept of Continuous Compliance and what that means from a firewall/network security perspective at the show. As the ICO is a UK regulatory body, I thought it made sense to sit down with Christopher to discuss why companies should focus on compliance, and I'm glad I did.
While many would agree that a proper compliance program is critical to protecting an organization's brand, Christopher framed it in a way that really resonated with me. Many UK driven compliance initiatives have to do with privacy. The way Christopher sees it (and I agree with him 100%), maintaining customer privacy is all about respecting your customers. Companies are in business because our customers trust us, and if they don't trust us then why should they do business with us?
As ICO's Information Commissioner, Christopher can levy fines up to 500,000 British Pounds to companies that, in his words, "get things spectacularly wrong." However, there is a wide spectrum as to why a company might get fined. There is a big difference between malicious intent - a company with no respect for their customers who engages in unethical business practices versus a company that was trying to do the right thing but was still compromised.
In the second example, things "go wrong" because maintaining compliance is a daily task prone to human error. To make things "go right", constant vigilance is required - in other words, ensuring sufficient measures are in place to adequately protect customer data in the first place. And that's where Continuous Compliance is key. Continuous Compliance is not about checking a box - it is about respecting your customers' privacy, and making sure the proper technology controls are in place to accomplish that.
I encourage you to check out my video interview with Christopher, as we can all benefit from heeding his advice not to "play fast and loose with customer data".
Chief Security Architect