• United States




May 18th: The birthday of the DPO

Jun 06, 20172 mins
Data and Information SecurityGovernment ITTechnology Industry

The importance of the European Global Data Protection Regulation and its implications for cybersecurity in America.

digital europe circuit board barbed wire barrier obstacle thinkstock
Credit: Thinkstock

What does May 18th, 2018 mean to you? If you conduct business with European individuals or businesses it is time to hire a Data Protection Officer (DPO). The European General Data Protection Regulation is 11 months away. This regulation is intended to strengthen and unify data protection for all individuals within the EU. It addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.  

This regulation embodies the nexus between privacy and cybersecurity via “protection’. GDPR will eliminate plausible deniability as the penalties for non-compliance i.e. lack of protection will equate to 4% of revenue. This is a game changer. No longer will cybersecurity be viewed as an expense ; now it will become a functionality of conducting international business.

The GDPR requires a Data Protection Officer being hired at the C-level. This DPO position requires thoughtful consideration of the candidate. My greatest concern is corporations will assign this historic role to a lawyer from the compliance department. That would be a travesty. May 18, 2018 is the day that has arrived for the CISO community.   You should begin your tactful conversations with your C-suite now as the DPO position should be the career path for CISO’s.  

Once we embrace this reality we must begin the dialogue per the definition of protection.   It has become obvious that protection is not merely encryption or compliance with cybersecurity standards.   Protection should include those elements but it should be modernized. intrusion suppression.  Adequate protection should incorporate dynamic real-time reaction to cyber intrusions. Pivoting to a strategy of intrusion suppression will improve protection and limit the impact of a breach. By stifling the adversary’s exfiltration of meaningful data an organization will protect the reputation of the brand and allow the organization to be GDPR compliant.  It is my sincere hope that this column will begin a thoughtful dialogue per the definition of protection.   May 18th, 2018 will be historically significant for our industry and hopefully for you Mr. or Mrs. DPO.  

“Not all the armies of the history of the world can stop and idea whose time has come.” –Victor Hugo.


Tom Kellermann is a cyber-intelligence expert, author, professor and leader in the field of cybersecurity. Tom is the co-founder of Strategic Cyber Ventures and serves as a Global Fellow for the Wilson Center.

Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection Alliance (ICSPA), he has worked in the highest levels of cybersecurity. He has applied his expertise in the corporate world, as Chief Cybersecurity Officer for Trend Micro Inc. where Tom was responsible for analysis of emerging cybersecurity threats and relevant defensive technologies.

Prior to Trend Micro, Tom served as the Vice President of Security for Core Security. Tom began his career as Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and security policy as he advised central banks around the world about their cyber-risk posture.

In addition to his professional work, Tom believes in sharing his knowledge to benefit others in order to combat cybercrime. Tom was a Professor at American University’s School of International Service and the Kogod School of Business, and he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.” He regularly presents at global cybersecurity conferences and is a contributor on cyber analysis for major networks. Tom is a Certified Information Security Manager and is a Certified Ethical Hacker.

The opinions expressed in this blog are those of Tom Kellermann and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.