Dylan Johnston discusses his concerns for the state of cybersecurity, global privacy challenges and the cybersecurity skills gap.

I left university with a Bachelor of Science in Business Information Technology. My first role was as a Network Operations Analyst, troubleshooting frame relay, ATM and IP networks for a global telecommunications carrier.

I then held various network engineering positions in the financial services sector where I became involved in the design, implementation and operation of session filtering firewalls (Cisco ASA, CheckPoint), as well as application load balancers (Nortel, F5) and web application firewalls. Having established myself as a network security engineer, I began exploring other security domains through reading, attending training courses and sitting certification exams from the likes of ISC2 and ISACA.

Today our work is focused on the establishment, implementation and continuous improvement of information governance, risk management, privacy and compliance programs for organisations in the digital life sciences sector.

That compliance does not necessarily equate to security. I often hear the terms used interchangeably but it is important to understand the difference. For example, an organisation initiates a project to certify to ISO 27001. The project team plans, initiates and executes a risk assessment then implements controls to reduce the identified risks to an acceptable level. They then provide evidence of their work to an independent third-party auditor who reviews, makes recommendations and issues the certification. This is compliance.

Security is everything else that happens between certification audits. By means of a second example, ISO27001 requires an organisation to implement and document an information security incident management process. The documented process itself is of little use if it is just going to sit in a shared drive until it is dusted off in time for the next third-party audit. Effective incident management requires a continuous effort to make the incident response team aware of their roles and responsibilities as well as carrying out regular drills that train responders to react with speed and efficiency.

This may sound paradoxical, but you need to be passionate about your purpose as a security and privacy practitioner whilst being able to demonstrate tact, patience and diplomacy. Striking the right balance between these attributes is something that I have found challenging on occasion. It’s a skill that I’ve had to work very hard to develop.

Subject matter expertise is important to articulate complex concepts and scenarios to a diverse audience from c-suite executives to data scientists, software engineers or HR managers. Communication skills, of course. Openness and honesty have always worked well for me.

Whilst in-depth technical knowledge is certainly an advantage, a solid understanding of the fundamental concepts will suffice in a majority of situations. For example, my background in network security engineering has served me well in conducting risk assessments for cloud infrastructure and applications. My knowledge of cryptography has helped me explain to privacy experts with legal backgrounds how encryption and key management concepts are applied in the pseudonymisation of sensitive personal data. Other factors to be considered when determining the extent to which in-depth technical knowledge is required would be the size, maturity and level of expertise within the client’s internal organisation, the complexity of their systems architecture and the characteristics of the information assets that they are seeking to protect.

Where do I start? We face an uphill battle on a number of fronts. First and foremost, the drive towards digital transformation and the proliferation of data-driven businesses has presented the challenge of protecting increasingly large quantities of sensitive information. The speed of technological development and the architectural complexity of cloud applications presents heightened security risk and practitioners are struggling to keep pace with an ever-evolving threat landscape.

One of the primary objectives of GDPR was to harmonise data protection law between EU member states although there is still a significant degree of confusion, inconsistency and fragmentation when it comes to its application. The aforementioned issues are compounded by the shortage of skilled professionals in the field of cybersecurity, privacy risk management and compliance. On a positive note, our jobs are secure for the foreseeable future.

Absolutely. I founded MOD1 AG in a bid to alleviate the problem through the provision of cybersecurity, privacy, risk and compliance consulting services to organisations in the digital healthcare and life sciences sector. Our goal is to help our clients to reduce the burden of securing sensitive data whilst grappling with complex technology stacks and a fragmented regulatory landscape. Our solutions safeguard against data breach, loss of revenue, reputational damage, operational downtime and legal liability through the adoption of a risk-based approach that delivers optimum results, maximises return on investment and allows our clients to focus on their core business of developing effective devices and therapies.

Whilst plugging gaps with professional services is the prudent short-term solution, I truly believe that the industry as a whole has a role to play in addressing the issue on a larger scale. We need to provide more internships, training and employment opportunities for graduates and be more open to taking on experienced candidates with transferable skills.

Interesting question and again, it depends. The importance of senior management buy-in may sound a little clichéd but there is a reason for its inclusion in almost every information security management book ever published. There has to be an appreciation of privacy risk at the board and senior leadership level before privacy awareness can permeate throughout the rest of the organisation. Embedding privacy awareness into organisational culture requires considerable time, effort and resources which are extremely difficult to secure in the absence of a top-down approach.

Nation-state surveillance laws. Whilst the incompatibility of US surveillance laws (FISA, CLOUD) and European data protection law (GDPR) is certainly nothing new, we are starting to see some significant fallout in light of the SCHREMS II judgement which invalidated the EU/US Privacy Shield as a mechanism for the legitimization of cross border transfers of personal data.

In a second judgement, the European Court of Justice (ECJ) ruled to uphold the use of standard contractual clauses (SCCs), whilst prescribing a case-by-case assessment as to whether or not supplementary measures would be required to ensure an adequate level of protection. I found it particularly interesting that the subsequent publication by the European Data Protection Board (EDPB) entitled “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, outlined scenarios involving Cloud Service Providers (CSPs) in which no effective measures for the protection of personal data could be found.

The EDPB recommendations state that in scenarios where there is a technical necessity for CSPs to access unencrypted personal data for the provision of the service:
“transport encryption and data-at-rest encryption even taken together, would not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys”.

Since a CSP would certainly have the “technical ability” to access unencrypted personal data, it is difficult to make the case that hosting personal data with a US CSP (AWS, Microsoft Azure, Google) could ever constitute an “adequate level of protection” under GDPR.

My advice is for every enthusiast, regardless of age. Many highly experienced individuals have transferable skills and the willingness to embark on a second career in cybersecurity but still struggle to find an entry point. Be persistent and demonstrate a commitment to continuous learning and personal development. My experience is that the first step is typically the most challenging so do what you can to get your foot in the door and the rest will take care of itself.

Original interview by Swiss Cyber Institute can be found here.