Ed Tucker, CIO at DP Governance, will be a keynote speaker at the Public Cyber Security conference next month where he will be discussing the practical measures organisations can put in place to ensure they are GDPR-compliant. Tucker spoke to Digital Health News about the need to remove the complexity from the GDPR debate and bring the issue back to basics.
Tucker joined DP Governance in September 2017, having previously acted as head of cyber security at HM Revenue & Customs (HMRC). His successful career at HMRC saw him turn the organisation’s cyber department from a one-man team to a multi-pronged unit operating from two security command centres.
On the topic of cyber security, Tucker says that the focus has shifted too much towards new innovations rather than tackling the issue at its root.
“The market will tell you that attacks are more sophisticated than they’ve ever been, but frankly so is technology, so why is that a surprise?”
“The problem is that everyone is chasing the buzzwords – big data, artificial intelligence and so on. All the while, people generally ignore the basics, which is why we see breach after breach after breach,” he explained.
Tucker points out that the majority of high-profile cyber-attacks on public services in recent memory have not been due to the sophistication of the breach involved, but rather a lack of precautions taken by those affected.
“People just get it wrong. Take the NHS and WannaCry – if they’d just prevented SMB (Server Message Block) traffic from the internet they wouldn’t have been infected – simple as that. You don’t need artificial intelligence, you need to do the basics well.”
“It’s not just the NHS – look at all the recent breaches. Whether it’s Equifax or Uber or Talk Talk – in any of them, the fundamental driver for them were they had a catalogue of basic errors.
“If you’ve got that wrong, you can have all the whizz-bang security solutions in the world and they won’t work.”
Tucker also believes that cybersecurity discussions these days tend to fall back on tired messages and fear-mongering, rather than offering advice that organisations can put into action.
He says there needs to be a circling back to fundamentals so that enterprises can build resilience from the ground-up.
“You have to start anything with sure foundations. You don’t build the roof of a house first, you build solid foundations…having good firewall rules, having good access controls, having good patch management and IT upkeep, having good monitoring and response capabilities.”
He explains this is particularly important as companies digitise: “As everyone’s going through transformation, you’ve got to make sure that you’ve got a good ship, and you’re applying those basics into everything within your digital transformation.”
Pathway to compliance
Moving onto the flavour of the month, Tucker says he aims to bring a real-world perspective to the topic of GDPR at PCS, rather than providing a “helicopter view” of the subject.
“Rather than do the usual nonsense and scare tactics about how you’ve got to be compliant by 25 May next year, I’m going to give a realistic view about GDPR and what it actually means in practice.
“I’ll be trying to give people a bit of a leg-up about how to approach it, stop panicking, and just build a proper pathway to getting somewhere near compliant.”
Tucker claims that some vendors have seized upon the collective anxiety caused by GDPR to fill the market with “snake oil”.
He instead proposes that enterprises need to take a step back and adopt a measured, step-based approach to the issue, rather than fretting over the EU-imposed May deadline.
“No organisation in the world is going to be compliant – and that’s fine. It’s just about you being an intelligent organisation.”
“It’s about removing the fear and the scaremongering and the complexity of GDPR and actually bringing it back to basics, and showing what an intelligent organisation will do.”
Asked what else he would be keeping an ear out for at PCS, Tucker said he wanted to hear a more open and insightful account of the organisations hit by cyber-attacks, and the remedies that can be put in place to mitigate them.
“I’m interested to hear from the NHS guys and see how much they open up, and how much honesty there is in there.”
“I’m hoping that it’s a conference with a practical element rather than filled with buzzwords and helicopter views of topics.
“Too many conferences these days are just the same tired messages that don’t give anyone any practical takeaways. I’m hoping this one will be different.”
Ed Tucker will be speaking 16:00 – 16:30 on A realist’s view of GDPR at Public Cyber Security, 7 December, ICC, Birmingham.
Public Cyber Security is the dedicated new conference from Digital Health focused on protecting citizen-facing public services and is free to attend for public sector information security, IT and IG professionals, with a particular focus on health and local authorities.