Cybersecurity has evolved from a technical issue into a legal, strategic, and ultimately existential one involving an individual's rights and freedoms. With the passage of General Data Protection Regulation, or GDPR — a sweeping set of data privacy and security rules now in effect throughout the European Union — companies must manage the regulatory aspects of cybersecurity with enhanced levels of precision.
I’m Noah Webster
, the new general counsel for Zix. Zix has been around for two decades, and it has evolved throughout that time to meet the most pressing security needs of business communication.
Throughout my career, I have worked at the intersection of technology and the law. That includes managing commercial contracts, calibrating privacy and security compliance, following anti-corruption rules, and more. Thanks to that broad-based experience, I know what it takes to ensure compliance across large and complex companies. More importantly, I understand how compliance teams must now adapt and evolve to help their organizations avoid larger and harsher penalties.
The Changing Role of Compliance Teams
It’s hard to overstate the impact of GDPR. Some have dismissed these rules as applicable only to entities that do business in Europe. The logic says they are currently exempt, so they don’t need to change anything about how they manage data and implement privacy safeguards.
This is the wrong approach. GDPR broadly applies to a lot of companies, even some that may not currently realize it. (Have you checked your customer list and your email servers for EU-related domains?) But even those that are not currently affected are likely to be in the near future.
recently passed a bill that feels much like GDPR. New York state also is debating similar legislation, along with federal governments around the world. GDPR may not be an international standard, but it’s likely to become an international model. Therefore, stronger data security and privacy measures will probably be required for all companies in the near future.
Meeting these new rules takes a blend of practicality and creativity. Compliance teams must be practical, because they work with limited resources to mitigate the risk of an ineffective cybersecurity program, where failures can cut deep.
Creativity is similarly important because the overall threat landscape is changing all the time. Attack strategies are evolving just as fast as the regulatory obligation, which means no single strategy will work for long. In order for companies to keep data secure and keep regulators happy, they must constantly look for new approaches. Zix brought me onto the team to help our customers find them.
3 Key Priorities for Today’s Compliance Teams
It’s difficult to make any definitive statements about the future of cybersecurity regulations, but that does not mean companies cannot plan and prepare for uncertain times. These are the priorities they must focus on as they chart a path forward:
- Learning from best practices: Because the cybersecurity risks and rules are changing so much, companies will need to continually revise their approaches. However, when it comes to something as important as security and compliance, following an unproven approach is a serious risk. As companies begin to adapt to GDPR and explore its framework, a series of compliance best practices will develop. These practices should inform the road map that companies follow when pursuing compliance.
- Finding the hidden wrinkles: New cybersecurity laws are intended to protect the public interest, which is complicated and sometimes conflicting. For instance, companies are increasingly obligated to delete a user’s data upon request. At the same time, they may be expected to save the same data and turn it over to law enforcement. The imperatives are in direct opposition, and similar conflicts exist (and will become more common) as the regulatory landscape expands through different jurisdictions, including various U.S. states. Compliance must manage the risks presented by these wrinkles.
- Monitoring your program: Cybersecurity is not a static program. Consistent review of your cybersecurity policies and practices is critical for adapting to new regulations, identifying issues, and enhancing your cybersecurity posture. Following up to confirm that practices are meeting your standards is also a necessary review step to ensure there are no gaps in your process.
Compliance is more important than ever, and more difficult. I’m here to help companies understand and adapt to the flood of new regulations coming down the pipeline. Compliance is a crucial part of cybersecurity, and it’s a central component of the Zix suite of solutions