Guest Blog by Niamh Muldoon, EU Information Security Director, DocuSign
“It will always be about protecting data”
In the past, Information Security frameworks were inwardly focused organisationally, predominantly consisting of policy, standards and procedures that the organisation adhered to. The majority of data and information was stored in-house within the business technology perimeter. Data and information assets existed in both electronic and physical formats. The ability to technically share data and information was very limited and when permitted, subject to stringent Information Security Framework controls. Technology departments’ management tooling supported security teams with the administration of tooling, protecting the perimeter and businesses’ data.
Businesses that understood data and classified their electronic data were considered to be mature; they had appropriate controls in place, and their data was accessible internally and externally. The perimeter-to-perimeter connectivity was mainly focused on a one-to-one relationship, including underpinning network topology using leased private telecom lines progressing to the virtual private network concept.
The cyber-security threat landscape of the past was very different to the present day. In 1988, we saw the first piece of malware being introduced. Robert Morris created the ‘worm’ type of malware. The ‘Morris Worm’ impacted over 6000 computers and it’s said that it would have cost $96 million if it hadn’t been stopped. Not too many years later, we had the first well-publicised Distributed Denial of Service attack (DDOS).
Fast forward to 15 years later to where we are today, and really the only way to say this is – the Internet has exploded. We all, in our personal and business lives, have embraced digitalisation and digitisation using Internet-based technologies.
To support this digital transformation, businesses have transformed to a ‘perimeter less’ ecosystem and Information Security Framework. With the starting point of the Framework commencing at the law level, the required laws that businesses need to adhere to for the data they manage and use, including global and country-specific laws, need to be considered. The next level up is the data protection regulations for the jurisdictions of operation – adding industry compliance standards that have a data component and industry best practice standards. These four levels all support businesses to digitally operate globally. Businesses need to internalise these requirements into policies, standards and procedures for data management that the internal organisation must then adhere to.
Operating at a global level using Internet/cloud based technologies means that businesses need an Information Security Framework that not only protects the Information Asset categories from cyber security attacks, but also supports safeguarding the authorised use of those assets including their transfer across geographical borders.
The requirement for understanding data, classifying it into Information Asset types and protecting them has become even more granular. Today’s cyber security threat landscape is very different to the past. The means, opportunity and motive to attack have not only grown, but have advanced.
There were a total of 2,260 reported data breaches in 2016. Motives for attacks vary, but because hackers have the means and opportunity, it’s become far too easy to be a target for attack with the highly likely result of a data breach ensuing.
We won’t know what the future will look from a technology advancement perspective, however we do know that data transformation to digitalisation will continue or be complete. Pro-actively managing and protecting Information Assets types is proven to be the foundation of success, enabling businesses to reduce the risk of security breaches and associated cyber security attacks – this will remain fundamental in the future.
At DocuSign, we have on average 130,000 new users joining the DocuSign Global Trust Network every day and our user-group is spread across 188 countries including regulated industries.
DocuSign has chosen ISO 27001 to be the core for its Security Standard model and it allows customers to take ISO 27001 results and map them into their vendor management programmes. DocuSign has also invested heavily in a cyber-security programme, investing 3 million into the Centre of Excellency. The Binding Corporate Rules programme is underway and the company continues to provide assurance with Compliance certifications.
About Niamh Vianney Muldoon
Niamh has over 15 years’ experience as an information security professional. Prior to DocuSign, she was the EMEA Technical Compliance programme manager at Workday where she established and grew the organisation’s EMEA Privacy and Compliance team. Through her Information Security programme manager role at the Irish online eGaming company, Paddy Power Betfair, she transformed the team from being an IT Security function to a mature Information Security function. Niamh spent over 12 years at the Irish Financial Institution, AIB; where she commenced her Information Security career and had many successes in relation to technology risk assessments frameworks and establishing Enterprise Information Security & eDiscovery functions. In her spare time, Niamh likes to give back to the Information Security Industry working with (ISC)2 sitting on the global scholarship review panels. She I is also a part-time evening lecturer in cybersecurity at the National College of Ireland.