• United States




3 ways to make the most of GDPR

Feb 01, 20184 mins
Data and Information SecurityGovernmentPrivacy

EU regulations provide an unprecedented opportunity to elevate cybersecurity as a business enabler.

protection privacy security internet network lock
Credit: Thinkstock

The announcement of the European Union’s General Data Protection Regulations (GDPR) in 2016 has flooded the news cycle with concerns over what requirements entail and how companies should prepare themselves. GDPR will necessitate a significant effort, and businesses are understandably apprehensive about the resources and cost required to do so.

Despite these concerns, the EU’s upcoming regulatory deadline of May 25 provides a valuable opportunity to elevate the roles and resources of cybersecurity teams for businesses around the world. The scope of GDPR requires deliverables and outcomes that are new to many organizations. These requirements create an opportunity for proactive defense of everyday business.

GDPR requirements create an opportunity for cybersecurity leaders to earn a seat at the corporate table, provide strategic guidance and implement changes. Many of the GDPR requirements also provide a sort of rosetta stone for the things that security operations teams desire – they are just cast in a language that the C-suite can resonate with.

Here are three ways cybersecurity leaders should look to leverage GDPR to empower their teams and enable the business:

1. Modernize and innovate cross-team business operations

A mature, cybersecurity team may be focused on protecting intellectual property. If the security team is mature, they have a strong set of processes to detect, investigate, respond and report on threats. GDPR creates the opportunity for cybersecurity teams to engage with the business and share the know-how to operationalize GDPR compliance guidance across the entire organization – using the tools and techniques they already know how to use

If the security operation is in its infancy, GDPR creates an opportunity for security teams to engage with the broader business. GDPR creates an operational anchor, a true north star, while providing a roadmap for security operations. It gives a path to maturity and incentivizes security teams to get more involved across business units to monitor, analyze, detect and respond across the critical business assets. And success can be charted against a GDPR scorecard.

2. Manage consumer brand reputation

The consumer is king under GDPR guidelines, which were enacted first and foremost to protect individual data and privacy rights. The cyberattacks on Equifax, Yahoo and other major enterprises in recent years have caused serious damage to the company’s’ public image, and these consequences stand to become even more severe if companies are unable to offer the protection mandated by the new regulations. That means business leaders need to assign security teams with a new level of responsibility for maintaining a strong public image with consumers, even on-par with marketing and PR groups.

Cybersecurity teams can take pride for their proactive work in protecting user data. By providing insights into steps being undertaken to bolster the defense of individuals’ private information, security teams can help craft a more detailed and compelling narrative on the company’s dedication to its customers. In turn, that story encourages consumers to engage with the business as a trusted source. As a consequence, these efforts will yield tooling and capability for security teams to better protect a company’s internal assets and intellectual property.

3. Guide technology investments for the future

Cybersecurity teams can sometimes develop the unfair and inaccurate reputation as the “no” people within their business – stifling innovation and savings because of policies that might be thought of as strict or risk-averse. Whether or not this reputation is merited, the GDPR will require that security leaders play a defining role in deciding how and where investments in technology are made across the company. These decisions will be driven largely by a need to improve threat detection and various defense measures; however, they also provide an opportunity to guide decision-makers towards solutions which will best fit the future needs across all departments affected by the new security regulations.

Data sharing technologies are a prime example of the opportunity for collaboration between security and IT departments. For instance, security teams can help IT teams select, invest in and set up  more secure cloud environments that in turn enable data sharing capabilities to be implemented efficiently, cost-effectively and with far less risk of outside attack.

GDPR is one of the most far-reaching and complex security legislation in recent years. Exactly how companies respond to the new regulations remains to be seen, but it nonetheless provides a valuable anchor point to elevate and empower cybersecurity teams as a driving force behind the business.


Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures.

Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats.

A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyber attacks.

The opinions expressed in this blog are those of Monzy Merza and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.