More than 100 countries now require their citizen data stored in servers physically located inside their borders. These laws are creating significant new technical challenges for chief information security officers (CISOs). 

In this new data sovereignty era, the threat landscape is more sophisticated, and risks are typically no longer a binary yes/no but a scale of limitations based on the sensitivity of the data involved. The fact that a lot of data remains scattered in the cloud makes the CISO’s job an even more challenging affair. 

Data localization or data sovereignty refers to restrictions placed on the ability of companies to move, store, process or otherwise handle their users’ personal data. 

Many countries like Germany, France and Russia have laws that require citizens’ data to be stored on physical servers within the country’s physical borders. There are also countries where regulations only apply to certain industries that advocate the same local data flow, such as government agencies and military contractors. 

These proposals can take different forms; some aim to make it harder for companies to move customer data outside the country, while others call for companies to maintain local copies of all user data.

GDPR Was a Game-Changer

When the European Union enacted the revolutionary General Data Protection Regulation (GDPR) in 2018, it was a challenge for CISOs in many companies to align with the demands of the law. Over 500 lawsuits have been filed against non-compliant companies, resulting in 260 million euros ($300 million) in fines so far. Meanwhile, the cost of GDPR compliance is expected to be around $8 billion per year for Fortune 500 organizations.

As the world transitions to a data-driven society, privacy seems set to play an even more important role than it already does.

Following suit, over a hundred jurisdictions — countries, states and cities — have now passed their own data privacy legislation. These “local GDPRs” add up to create a global tangle of regulatory responsibilities that will wreak havoc on the operations of nearly every global firm that interacts with consumers.

It’s like a second set of tax codes for CISOs, with high expenses, high risk, complex implementation and absolutely no room for noncompliance.

Barriers to Cloud Adoption

The 2019 Cloud Security Report highlighted some major concerns regarding a CISO’s migration to the cloud. Sixty-four percent of the surveyed population mentioned data loss as their primary challenge during the transition, while 62% highlighted data privacy. 

Although the focus of a breach response is to remediate the damage and restore business, the cost of a data breach should not be taken lightly. The most contributing factors are third-party involvement, system complexities, operational technology, compliance failure and extensive cloud migration. 

Another consideration is the legislation of the data itself. This can place restrictions on CISOs and their ability to access and work with user data. User privacy and security become a lot more than simply putting the right protective measures in place — there are rules, and they can sometimes be difficult to navigate as different countries have different laws. 

Privacy Is No Longer an Accessory But an Essential

The privacy landscape has changed drastically in the last few years, so much so that privacy has become essential to business and is no longer an accessory. As the world transitions to a data-driven society, privacy seems set to play an even more important role than it already does.

Any CISO should be aware of the fact that customers will demand transparency from organizations, especially about their data. They need to tell their users where their data resides and who can access it. 

CISOs can contribute significantly to the effectiveness of their organizations by taking an active interest in establishing robust data sovereignty practices. For example,

• CISOs should consider the “entire stack” when developing and maintaining a solution that meets relevant compliance standards.
• CISOs need to research and know how to comply with the local requirements. Knowing the local laws is now the standard operating procedure for navigating international business deals. You can’t do business in another country without understanding their data laws.

The Hybrid Cloud

A hybrid cloud made up of on-premises infrastructure, private cloud services and a public cloud gives CISOs more options and the chance to streamline operations and save money. If the business is using a public cloud model today, most of the applications will be in play with a hybrid cloud approach. These applications can be moved back to the on-premises environment when needed while also capitalizing on the advantages of the public cloud when applicable.

Protecting the most sensitive information, whether it is trade secrets, personally identifiable information, or intellectual property, is the core function of a CISO. 

With more enterprises leveraging data analytics and business intelligence to gain business advantage, CISOs are challenged to balance strategies for achieving data sovereignty with the new realities of cloud computing and big data.