Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
A few weeks ago I attended a conference and listened to a talk by Aleth Gueguen about GDPR. A recurring theme on the talk was maintaining a reasonable level of security and keeping the end userâs data private. Most GDPR talks tend to go over the list of things you need to comply with, and how to do everything by the book, but this was a bit different. Aleth showed more concern for the users and less for the risks for the organization.
Later on that week, on a long layover, I had a chance to sit down with Aleth (over a Vienna Schnitzel). One of the things we talked about was the spirit of the GDPR compliance.
The spirit of the regulation is to keep your userâs data private and safe. It is not about checking boxes and sending out annoying emails about policy changes.
That got me thinking about security practices in general, especially after a few long client meetings that seemed to be missing the point.
We tend to focus on the tools, process, best practices and what we do daily, but our motives are âselfishâ and aimed for the companyâs interests. The actual people whose data we hold usually comes in second if at all. And even when we do, itâs because of legal liability and not so much from concern for the users.
The same goes not just for security experts, but for developers and DevOps engineers. You are not implementing security just because you need to, or because a big client had you to go through a due diligence process.
When you are writing new code, be mindful of the end users, the people whose data you will be processing and serving. Itâs not about the shiny new UI, or a neat feature, or a fully automatic deployment that runs 100/day in production. In most cases, your work is not as crucial to the user, or your clientâs userâs, as having their trust breached. By you.
I believe that in the future, we will see more litigation related to data breaches, and more directors will and should be found accountable. In most cases, I canât honestly say that tech leaders are doing the minimum required, and now highly available security measures to protect their users.
So the next time you read new compliance guidelines, try to understand the spirit of it, not just how to implement it. It is a way to peek into the future (if only that was the case for new JS frameworks).
What can you do about it?
- Keep the users in mind
- When retaining information thinkâââDo I really need to keep it?
- Try to map out where you are keeping personal information.
- Think about some non-obvious data that could be used for exposing your customers.
- When possibleâââuse encryption.
- When there is an opportunity to improve securityâââdo so, donât brush it off for later.
- Donât have aâââthis is the way itâs always been, why change now?
- And my all time favoriteââââWe donât have time for security, we need to release it asapâ. Get it out of your vocabulary. Unless you do proper risk assessments.
Want to learn more about DevSecOps and Security? Join the DevSecOps Thursday list.
Originally published at https://pinesec.com/you-owe-them on November 12, 2018.
You owe them was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Publication date
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.