Slider billede til forside

Persondataforordningens art. 32 siger, at du skal have et passende IT-sikkerhedsniveau. Der er selvsagt også andre gode grunde til at have det, men ..

.. hvad er et passende IT-sikkerhedsniveau egentlig?

I den nyeste udgave af et standardværk om cybersecurity kan man læse følgende ædruelige ord om vores nuværende forståelse af farerne ved de mange digitale devices (laptops, smart phones usw.):

“If you imagine how things were in the early days of the car, there was no clear idea about where to locate the steering wheel, so it started out being in the center of the car on many models. There were no seatbelts, roll cages or airbags. People were just amazed that the car moved without a horse strapped to the front, so they started out calling it ‘The Horseless Carriage’.”

Om årsagen til at spendere på IT-sikkerhed skrives følgende:

“Cybersecurity departments led by a CISO (Chief Information Security Officer) now play a central role in controlling the destiny of [..] organizations and their leaders because after all, there are only 2 ways any CEO can unwillingly lose his or her job: (i) poor share price performance or (ii) a massive loss of sensitive information that evidence determines was due to substantive gaps in the organization’s cybersecurity. Only item (i) seems to happen overnight.”

Men om mulighederne for at investere meningsfuldt i IT-sikkerhed angives følgende, som HR-afdelingerne måske bør notere slg:

“When organizations advertise a role and put in the required section ‘Must have at least 10 years cybersecurity experience’ it makes cybersecurity people chuckle. That level of experience rarely exists and is nearly irrelevant when it does. We also do not apply for such jobs unless we are ‘fond of a treat’ (a British expression of irony suggesting the person enjoys inviting pain and suffering on him or herself). Who wants to take on the challenge of working for an enterprise that lacks even basic understanding of the modern cybersecurity industry? Nobody wants to be employed only as a scapegoat.”

Hvilket følges op med:

“The fact is that very few people were working specifically in this sector until about 2013.”

Konklusion? Værsgo’!:

“The hard truth is that the technology landscape has changed so much in the past 10 years that a significant number of people who work in the field don’t really understand current technologies.”

Men hva’ så nu?

Jo, der synes blandt IT-sikkerhedseksperter dog at være enighed om disse (mere eller mindre nyttige) banale veje til et passende IT-sikkerhedsniveau:

  1. Gør noget! Lidt er bedre end ingenting
  2. Gør noget mere! Mere er bedre end lidt
  3. Du skal ikke bygge Fort Knox, du skal blot sørge for, at DU har låst DIN cykel – så er det ikke den, der bliver taget i mængden af mulige ofre, for der er altid en anden, der har glemt at låse sin og cyberbanditter er – som andre mennesker – dovne

Altså: To mænd står på savannen. En sulten løve dukker op og sætter efter dem. Den ene mand begynder at løbe. Den anden spørger: “Jamen, du kan da ikke løbe fra løven?” Svaret: “Pyt, jeg skal blot løbe hurtigere end dig.”

Så tjek markedet og gerne lignende aktiviteters IT-sikkerhedsniveau grundigt, inden kravene ryger i udbudsmaterialet, eller ønskerne vedtages i bestyrelsen.

Og så er der hele problematikken om, at meget software i virksomheder i dag er cloud-baseret (billigt og tilgængeligt), men med en indbygget særdeles begrænset mulighed for at vide, hvad der faktisk foregår, når programmellet anvendes (ringe sikkerhed). Den slags kaldes – naturligvis – ”bleeding edge”-teknologi. Men det er en anden sag.

IT-sikkerhed og persondata: "To mænd står på savannen.."

Hvis du vil vide mere, så kontakt meget gerne Jacob Naur

Telefon: (+45) 6144 0707
Mail: jgn@hejm.dk