The ICO’s £183m GDPR fine for British Airways is the wrong thing to do

There’s lots of flag waving about how the ICO finally has some teeth, and how GDPR is going to keep companies on their toes from now on. Nothing will change.

GDPR will have no impact on cyber security apart from employing a lot more auditors, with even more ineffectual checklists. The ICO’s “record breaking fine” will result in zero improvements in cyber security.

Companies should be punished financially for having weak security when handling customer’s data — but it’s the executive team who should foot the bill. The ICO’s fine doesn’t help consumers or the companies who have suffered a breach. No fine, ever, has resulted in a cut in executive pay or benefits: that money will be extracted from the business. More often than not this takes place via cost cutting in traditional ‘overhead’ areas; IT, security, and front line services.

While levying the fine does send a clear message, it equally perpetuates the fear/hype cycle that’s so prevalent in cyber security. Instead of “Buy cyber technology and audits or the hackers will get you!” the narrative has now changed to “Buy cyber technology and audits or you’ll get a massive GDPR fine”.

Grossly negligent companies should be punished for avoidable failures in cyber security — Sony, I’m looking at you here, with your pre-PSN breach layoff of security staff. But — just as with poor acquisitions (hello HPE and Autonomy!) — the executive team need to be held responsible. Cyber security is represented at the board, hacking is not some new emerging threat, and security failings need to be treated in the same way as failed product launches and botched expansions — by punishing the executive team who oversaw (and are responsible for) these poor business decisions.

Because, yes, a proportional and knowledgeable investment in cyber security, in this day and age, is just as much of a business management decision as buying your way into a new market, or launching a new product.

One of the key problems here is relying on checklist audits to ‘prove’ that a company is secure. With a focus on buying technology to address technical debt, while measuring ‘security’ against a checklist (that’s followed by everyone except hackers) companies sleep walk into breaches and hacks that could have been avoided. We should be getting rid of auditors and GRC ‘professionals’ — it’s an approach that doesn’t work with modern mobile, agile, rapidly deployed applications. Worse still, it presents a distorted view of an organisation’s current security posture, and we’ve seen how that ends: with companies being breached, and their auditors being sued.

How much of an improvement to BA’s cyber security could £183m achieve? How much of an improvement across the industry could be delivered by a £183m investment from the ICO in Cyber education?

Any other business investment that has board representation comes with a slew of KPIs and performance measurements to ensure that it’s success can be measured, monitored, and — if need be — corrected. It’s about time we started to do the same with cyber security, driving this from the board down.