The ultimate information security book for Halloween

I’m a member of the Cybersecurity Canon project, where we identify must-read books for cybersecurity practitioners. There are several different categories, including cyber warfare, governance risk and compliance, history and culture, and more. One category that doesn’t exist is information security horror books.

With Halloween a few days away, for many, the ultimate security horror book is Applied Cryptography: Protocols, Algorithms and Source Code by Bruce Schneier. They are frightened and intimidated by such topics as public-key digital signature algorithms, pseudo-random-sequence generators and stream ciphers, and more. But their fears are placated by the fact that most people will ultimately only end up being users of cryptography, but will never have to design a cipher, or develop crypto code.

With some license, in Understanding the New European Data Protection Rules, author Paul Lambert has written the Stephen King of information security books. Here, Lambert details the horrors and monstrosity that is GDPR. The regulation opens a Pandora’s box of information security and privacy requirements that firms will have to deal with.

For those not familiar, GDPR is the General Data Protection Regulation. A regulation from the European Union, it’s meant to strengthen data protection for EU citizens. It goes into effect in May 2018. For those that want to know more about the GDPR, there’s no shortage of information on the web. Most security vendors have white-papers detailing how their products can help with the GDPR headaches.

The entire 261-page regulation can be download from the GDPR portal. For many who’ve read the regulation, it can seem like it is not a huge endeavor. Read this book, and you’ve just become Freddy Krueger’s CISSP buddy.

Part of the rational for GDPR is that to have a single regulation, rather than many which requires significant duplication of efforts. Businesses will only have to deal with this single regulation, rather than myriad others. GDPR is estimated to save businesses over €2.5 billion annually.

First off, GDPR is not just another regulation. It’s a rights-based regulation which changes the data dynamic such that individuals have significantly more rights to their data. Each right creates corresponding requirements that business must deal with to ensure they are compliant. GDPR establishes data protection rights as fundamental legal rights.

Some of the rights that GDPR include are, right to rectification, right to erasure and be forgotten, right to prevent direct marketing processing, and much more. Every GDPR right, creates a huge set of obligations that enterprises much deal with.

An example of a daunting aspect of GDPR is the extra-territoriality clause. This means that even though GDPR applies only to EU citizens, a non-EU organization can still be in-scope for GDPR if it offers goods or services to individuals in the EU. This is just one example of hundreds.

In “Understanding the New European Data Protection Rules,” Lambert shows that GDPR will be the information security equivalent of Halloween for the future. No candy, just lots of spine-chilling regulatory requirements.