Data Security is Everyone’s Responsibility

For many years, software companies have trudged down a path of making updates and releasing enhancements to their applications, in hopes that their customers will find value in what they produce. In today’s world of customer journey mapping to enhance and understand the customer experience, that thinking no longer works.

Personally, as the Head of Product Management for iGrafx, I try to get out of the office as often as possible to hear exactly what the market and our customers are saying. To that end, a few weeks ago I had the privilege of attending the Enterprise Risk Management Symposium in Portland. Here are a few of the highlights I picked up.

• IT Security is a matter of culture not technology. That means that the whole organization needs to be included in understanding and implementing the required behavior.
• While everything in IT needs a process, documentation, and the metrics to monitor the behavior, they also need to understand the other processes that they support, and the systems used. Additionally, it is imperative that they understand the risks of a process or system failure and ensure there are mitigating controls in place to nullify or, at the very least, minimize the disruption. Processes for dealing with incidents should not be taken lightly. It is not a matter of “IF” there will be an incident, only “WHEN”.
• You should have an inventory of “Capabilities” which can identify relationships to not only other capabilities, but also to the processes that support them, as well as identifying the risks for failure. It is also important that groups can identify gaps in their capabilities so that they can address them before they became real issues.

The biggest shock to me, and also the biggest takeaway, was how impressed the group as a whole was with GDPR. While the new regulation at present is a bit of headache, as everyone rushes to be compliant by May 25th, they were very much impressed. It was also clear that this group was already moving in a direction to work with US law makers to enact a similar regulation here, using GDPR as a template. If you have not heard about GDPR you can find out more about it, who it impacts, and what you can do to be ready here.

Overall, I enjoyed this show. It provided a lot of good insights into the challenges and ideas of those who are tasked with handling Risk Management. But most importantly for me, the ERM Symposium really helped build confidence and validation in the direction of iGrafx, as we continue to develop and evolve with the market.