SRM Blog

UK research highlights the lack of Chief Data Officers at C-suite level

Research by the data science and marketing services company Profusion has revealed that UK businesses are falling behind their European counterparts. The report highlights the lack of Chief Data Officers at board level at a time when GDPR, Brexit and the new Open Banking standards (due to come into effect in January 2018) should be top of the corporate agenda.

The Chief Data Officer: Today, Tomorrow, Always? report analyses the role of the Chief Data Officer, finding that only 2 per cent of FTSE100 companies has elevated this position to senior level. This is in spite of the fact that research from global marketing intelligence firm IDC reveals that 77 per cent of FTSE100 company executives consider data and analytics to be the most important technology trend of the next three years.

So why is this the case? At a time when UK businesses need to put effective organisational structures in place to maximise the benefits of ‘datafication’ while ensuring that all regulatory, legal and security procedures are in place, why are the big corporates not acting? Of course, they are not alone; the dearth of board level data officers extends into all businesses, from public sector organisations to SMEs.

One of the key issues is recruitment. There are few individuals with the right skill set required for this challenging role. A Chief Data Officer needs to combine a degree of technical skill with a highly tuned commercial agenda. He or she is required to communicate with authority with their board level peers, putting forward innovative strategies for developing the benefits of properly managed data to create new revenue streams. They must drive business efficiencies while enhancing customer relationships and improving company performance and growth. Add to the lengthy job description the need to ensure the security of all data in line with all regulatory and legal requirements. No wonder there are so few about.

With such a tall order, it is not surprising that there is an increasing trend toward organisations looking to external partners to provide resource and support for specific aspects of the role. In this way they are able to supplement the wider experience of the individual with specific expertise. The role of Chief Information Security Officer (CISO) is an aspect of the CDO role; they are often one in the same person. Providing CISO support, or even fulfilling the CISO role in entirety, is a way to enhance the CDO’s role, while also allowing him or her to focus on the wider picture.

SRM has extensive experience of providing CISO support for businesses of all scales. Our service is entirely bespoke, delivering as much or as little as is required. From board level engagement to scoping and conducting penetration tests. From Red Team engagement which provides a hacker’s eye view of an organisations’ frailties to GDPR compliance. For smaller businesses we can provide a Virtual CISO (vCISO) with access to our specialist team whenever needed.

Given the fact that GDPR is yet to be enacted and some of the fine detail is still being confirmed, SRM’s GDPR expertise adds particular value to the CDO’s role. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance or take on the full Data Protection Officer (DPO) role.

For a no obligation conversation about SRM’s CISO, vCISO and GDPR contact Mark Nordstrom.

Learn more

GDPR – The General Data Protection Regulation


Related blogs

After GDPR, what will happen to ICO notification fees?

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?

VirtualCISO: the philosophy of product development

How a CISO can exert influence at board level


Yes, someone actually said that to me in an interview!

SRM’s GDPR specialist Melanie Taylor explains some of the challenges faced by women trying to get into the world of IT

‘I don’t understand why a woman with a family would want to work in IT’…

Is just one of the things an IT Solutions company in Catterick said to me during an interview.

To start at the beginning! In August 2012 I had an operation to fuse 2 of my vertebrae in my lower back and insert some ‘scaffolding’ to support the once above due to collapsed discs. I knew the operation was coming and had decided that once I could go back to work it would be in IT. I was not going to settle for less, having always enjoyed dabbling in IT and taking PCs, Xboxes and mobile phones apart to fix or clean them it seemed like a logical choice. Getting into Information Security was the ultimate goal but I needed to start with IT in general.

“An apprenticeship! that’s what I’ll do” I told my husband. So I started to apply for any IT apprenticeships I could find, sometimes 5-10 per week and then….. Nothing! Nothing at all. Not even a ‘sorry this place was filled’. I kept going and did, now and again, receive a reply, TOO OLD! You see I was 34. When a company wants an apprentice they want a young one so that they will be fully funded. I still kept going. Applying and chasing with telephone calls. Too old.

But then finally, an interview!

It was for a Network Technician Apprentice role for an IT solutions company in Catterick. I was currently living in Bishop Auckland and was more than happy to travel 25 miles to work each day.

On the day of the interview, I was extremely nervous and also excited at the possibility, this could be it…. The beginning. I arrived in plenty of time and smartly dressed with a little makeup on and hair done, anxious to meet with my interviewers.

Now I can tell you that when someone walks into the room, sees you, and their face drops, you do not get a good feeling, that sinking feeling. That feeling of dread. I was asked to have a seat and was made a cup of coffee. The interview started in an unstructured way and I remember being asked why I wanted the role. “Since leaving school I have wanted to get into IT but just didn’t know how back then. I have had a few years away from work due to a back injury but am now able to work again and decided to go for my career of choice” I said some other stuff and waited for a response. Awkward silence. Then one of the men said, “I just can’t understand why a woman with a family would want a job like this, it gets cold in server rooms you know”. I said I would wear a coat if I was cold. This seemed to be the theme of the interview and I was enlightened with some interesting statistics about how many women worked in IT or rather didn’t work in IT. On the plus side, I was told that the clients would love me although I’m not entirely sure that it was meant as a compliment. Near the end, I was asked if I would not rather take a position in admin! As a last attempt to convince these people (clutching at straws) I blurted out that having my hair done and wearing makeup was not me and I really wanted this opportunity. After I left it didn’t take long for the recruiter to ring to break the news to me, I was not experienced or knowledgeable enough for the position and the learning curve would be too steep, an interesting point considering that the interviewers had already told me that the role needed no experience being an apprentice role and that the last apprentice they had was completely starting from scratch with their knowledge and experience.

Desperately wanting to prove myself I emailed one of the directors that interviewed me and offered to do voluntary work so that they could see my work ethic and how quickly I would pick things up. Nothing! Not a thing back.

I was absolutely determined to keep going, everything happens for a reason right? and looking back at the interview I was beginning to think that maybe it was not the best place to work, for a woman anyway.

Thank you! Thank you so much for not taking me on! I would not be where I am today if you had.

After around 8 months of applying, I had an interview with Newcastle College which was successful and my journey began, but that is another story.

The point of telling you this is to say never give up on your dream career and never stop searching for your perfect employer. You’ll know when you get there and you may not stay forever but it’ll be right at the time.

I am so lucky to have found a company that not only let me fly, they give me wind beneath my wings. Thank you SRM!

Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


After GDPR, what will happen to ICO notification fees?

When the General Data Protection Regulation (GDPR) comes into effect in May next year it will not require organisations to notify the ICO about what data they hold or to pay notification fees. However, little will change in reality. A provision in the new Digital Economy Act 2017, which addresses policy issues relating to electronic communications infrastructure and services, means that notification and fees to the ICO will still be a legal requirement for data controllers after GDPR is enacted. What is more, the fees themselves are likely to increase.

Under the current Data Protection Act (DPA), organisations which process personal information must, as data controllers, notify the ICO about what personal data they collect and what they do with it (unless an exemption applies). They are also required to pay the ICO a notification fee. This is either £35 or £500, depending on size.  These fees are currently used to fund most of the ICO’s work.

The Digital Economy Act 2017 paves the way for a new funding system for the ICO with the new model going live on 1 April 2018. As is currently the case, notification fees will be used to fund the ICO’s data protection work and any money the ICO receives in fines will be passed directly back to the Government.

What is still unknown is exactly what these fees will be, although we now have a clear indication of what is being considered. An update from the ICO on 31st October, confirms the range of fees which are currently being considered in consultation with the Department for Digital, Culture, Media and Sport. The draft proposal is for a three tier system, differentiating between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

  • Tier 1: small and medium sized firms that do not process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and fewer than 10,000 records processed. Annual fee up to £55.
  • Tier 2: small and medium sized firms that process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and more than 10,000 records processed. Annual fee up to £80.
  • Tier 3: large firms. Applies to those with a staff headcount of more than 250 and turnover of more than £50m a year. Annual fee up to £1,000.
  • Direct marketing top up: applies to organisations that carry out electronic marketing activities as part of their business. Top up fee £20.

Once approved by parliament, the ICO has undertaken to communicate the new fees to data controllers. In the meantime, organisations should continue to renew their notification as usual. It remains a criminal offence not to notify if an organisation is required to. Those who pay an annual notification fee will only need to pay the new fee once their existing notification, under the old model, expires. It is also expected that the exemptions will still operate and these are expected to be similar to those under the current regime.

Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


eDiscovery: the issues facing law firms and solicitors

by Alan Batey

Information Security Consultant and Forensic Investigator

In today’s world, evidence in legal cases is sourced from the vast quantities of Electronically Stored Information (ESI) that exists across a range of platforms and devices. Acting on behalf of clients, large law firms may have access to eDiscovery platforms to sift, sort, redact and reduce the amount of data that is made available, keeping only those files with relevance to the case in a legally recognised format which preserves the integrity of the data and stands the ultimate test of court acceptance. Smaller firms may not have operated an eDiscovery platform, considering it too expensive or shying away from the complex technology. This is not altogether surprising.

ESI comes from a number of sources; from emails, texts, voicemails messages, word-processed documents and databases, including documents stored on portable devices such as memory sticks and mobile phones. In totality it includes an unfeasibly large and complex volume of files. SRM was recently involved in an eDiscovery case where the original ESI involved 1.2TB of data which, in this particular instance, was reduced to 160GB. Although hundreds of gigabytes is more usual, this is still more data than can effectively be processed in a legally acceptable manner without the use of sophisticated management and tools.

Yet many who engage with eDiscovery Platforms find the process is unsatisfactory. They may require assistance with the forensic discovery of electronic documents or need more support in managing the information security risks surrounding the placing of confidential information on a Cloud or server based platform. They may feel their technology partner is unsupportive or that the cost of the exercise lacks transparency. Ultimately, some are worried about the security issues of releasing sensitive information to a third party.

eDiscovery  projects require extremely high levels of skill, technical expertise and diligence. At SRM we work in conjunction with the legal team to advise and execute the eDiscovery requirement for their client. We define each stage and advise on the ongoing process and progress giving a full breakdown of costs for each stage. Our service is at the cutting edge of eDiscovery technology, saving the clients time and money while achieving best results. We also work effectively and strategically to ensure that disruption to the client’s business is minimal.

When such large volumes of data are made available to a third party, trust is crucial. Our eDiscovery  team includes individuals who have worked with the police, MOD and FTSE100 companies. We are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government.

SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.

Can Decision Cycles help us maintain the initiative in cyberspace?

As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.

For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.

The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.

Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!

In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.

This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.

Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.

All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.

If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.

This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.