SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
1. Don't be stranded without
a (GDPR) plan
Geert van der Linden,
San Francisco,
7 December 2017
Making a difference
with security
2. Evolving Risk Landscape
29% of
organizations have
both strong data
privacy policies and
sound security
frameworks3
>20% of
organizations have
real time insight on
cyber risks. Malicious
attacks can take up to
256 days to identify.1
46% of
organizations state
they have a
‘problematic
shortage’ of
cybersecurity skills
in-house2
Move to a
outsourced SOC
model is growing,
expected by Gartner
to equal 50% of
security operations
by 2019
1)Source: IBM 2015 commissioned research, Cost Of Data Breach Study, May
2015
2) Source: ESG Brief: Cybersecurity Skills Shortage: A State of Emergency,
February 2016
3) Source- Currency of Trust Whitepaper- Capgemini August 2018
4. Endangering the Modern Enterprise-
Evolving Business, Regulatory Requirements, and Cyber Threats
Risks and challenges to consider
Digital new requirements and trends
Regulatory
pressure and
new laws
Business
demanding
higher flexibility
Complex
ecosystem
Trends from Digital Transformation
Mobility Cloud Big
Data
Social IoT
Cybersecurity maturity
Limited cybersecurity
resources and
competences
Low cybersecurity
awareness amongst
managers and
employees
Threats from Hacktivists, organized crime, intelligence agencies
Employees
threatened
by phishing,
social
engineering …
More and
more
sophisticated
attacks by
cyber criminals
National
intelligence
agencies
with
unlimited
resources
6. Cybersecurity Portfolio
3 families of
Cybersecurity
1
Cybersecurity
framework
Consultin
g &
Assessme
nt
Services
Protectio
n
Services
Monitorin
g
Services
Gartner >“Operational Technology (OT): industrial systems
and manufacturing IT systems
7. Capgemini Service Managed SOC
Deployment & Service Delivery Options
Tailored and exclusively designed SOC to suit a client’s
security needs & individual risk profile; operated out of
Capgemini or in-house
Protects sensitive data
Comply with local legal & regulatory mandates
Dedicated (managed) SOC
Multiple customers on a SINGLE interface, while maintaining
protection of individual tenant policies
Allows easy & quick access to comprehensive security solutions
Local language support & local presence
Industrialized SOC services capability through the GSOC
Multi-Tenant / Client managed SOC
Strategically located Network of Managed SOC Centers designed to remotely manage,
support and respond to our client’s security issues
Service
Delivery
Option1: Fully Featured managed
SOC
Industrialized managed SOC solution, fully managed and
hosted by Capgemini, purchased through a tiered service
model
Features: Low CAPEX; Flexibility of solution, Reduced cost
Option 2: Service Wrap managed SOC
SOC operational services fully managed by Capgemini while the
SOC tools and infrastructure continued to be customer owned
Set up of logistics, interim processes required to enable the
changeover
Features: Fast to deploy and implement; Low cost
8. GDPR and Data Protection: What You Need to Know
In May 2018 the General Data Protection
Regulation (2016/679, known as GDPR) will be
enforced
The GDPR is EU regulation related to the
protection of personal data and free movement of
such data
Organizations will be held more accountable for
their data collection and use than ever before
Risk evaluation is key and mitigation measures
may include encryption etc.
Although many organizations have already
adopted processes consistent with GDPR, the
new regulation will impact most organizations on
all levels
Failing to comply with the GDPR can lead to a
fine up to 4 percent of the worldwide turnover or
20 million euro
Key points of the GDPR Key points for data protection
Assessment
Protection
Data subject
rights
Controls
A
B
C
D
E Consulting
Data Protection
9. Security and Privacy Principles
• Align data practices with consumers’
expectations- TRUST
• Understand where the data is- at rest or in
motion/structured or unstructured
• Classify criticality of data constructs (risk)
and implement appropriate security controls
and privacy policy
• Maintain strong data governance model
• Develop innovative ways of providing
effective and agile yet non-intrusive security
to consumers
• Build out capabilities to monitor cyber risks
on a real-time basis- SOC
(prevent/detect/respond)
• Strong brand around data privacy AND
security will earn trust of current customers
and will yield additional market capture
10. GDPR Services / framework
GDPR Program Services
Data Protection Register management, Awareness & Change management, Program coordination and follow-up (incl KPI’s, Risk and reporting),
DPO Organization & Tooling, Processor and third party management, GDPR methodology and procedures (including Privacy by design, PIA)
Data Discovery Services
Data discovery services
Consent & Individual’s
Rights Mgmt Services
Consent management, Individual’s rights
management
Pseudonymizing Services
Pseudonymizing Services
Data Lifecycle Services
Data retention and data disposal
Data Protection Services
Identity Access Management &
Identity as a Service,
Data & Database Security
GDPR Assessment Services
Program Scoping, Detailed process diagnosis and action plan, Privacy Impact Assessment
1
2
3
4
5
6
7
GDPR Assurance Services
Data Breach Simulation, GDPR compliance tracking, Application security & privacy testing
Breach Management & Reporting Services
Security Operations Center as a Service, Data Leak Prevention as a Service
8
9
A catalogue of services for each building block