Challenges of Law Compliance in the Data Security Arena
PrimeSec CEO Or Lavi served a commanding role in the 8200 army reserves unit, where he gained his first hands on experience in managing Information Security and Data classifications. He is a certified lawyer (LL. M) with expertise in law and technology aspects from the Bar Ilan University, and has over 15 years of experience in the field of IT, information security and related regulatory aspects. After several years in the hi-tech industry, he decided to go back to his origins and founded PrimeSec, a consultancy firm that helps organizations to align their security needs with local and global privacy regulations and standards. Share
What can you tell us about the PrimeSec team?
At Primesec, we believe that service should be conducted at the field and not just theoretically. The company’s managers and employees are all academically educated and highly experienced in the fields of law and computer sciences, well versed in information security and management of regulatory and technological enterprises. They specialize in consulting, integration and risk management at multiple sectors of the economy, from large scale corporations to small businesses, while creating a ‘Costume Made Suite’ to the organization characterization and risks handling.
PrimeSec provides both technological and legal consultation. How do the two coincide?
As a Lawyer and a programmer, and late project manager, I was the "mediator" between business and IT staff and I realized that good organization should find the common language between those two leading units. The company knowledge combines between the world of regulation and law and the world of IT and technology; it allows Primesec to provide a professional consultation in matters of complying the various regulations, while considering the technological complexity in each organization individually.
What are the regulatory challenges that organizations and corporations are facing today?
Over the past year, we have been focusing on the implementation of new Cyber Regulation in the Capital Markets (Insurance, Funds), and two minor regulations in the municipal water sector and the Public Transportation sector.
In the first case, the new regulation has changed a former one, shifting the focus from Data Classification as a main risk, to adopting best practices of handling data in the Cybersphere.
The big challenge is to uncover the new threats while updating working methodologies to address these new regulations, all within a very short time span of one year.
In two other sectors the challenge is to implement information security and Cyber risk assessments in organizations which did not invest in this field previously or which only used minimal resources. Therefore, the aim of our work with such organizations is to establish effective Information Security Systems and manage them in the long run.
Please give us an example of a problematic regulation concerning data security?
The Israeli Privacy Protection Act was legislated in 1981 and has not changed since, although technology and data accessibility have changed dramatically. In many instances, the act uses terms which are no longer relevant, while no clear instructions are as specified for the use of up-to-date technologies and devices. This makes compliance very challenging, and results in entire sectors remaining completely exposed to data leakage.
What best practices would you recommend for technology companies seeking to secure themselves from legal disputes?
A high percentage of information security events that occurred in recent years happened due to the lack of knowledge and awareness of employees. Therefore, in order to fight and eradicate the risks arising from the human resources within the organization, Primesec sees an urgent need in raising information security awareness by building structured education methodologies. Implementing information security measures is not only technological, but a change in the entire approach of organization.
The consequences of information security events are immense, and may include reputational damage, leading to a loss of customers and a lowered market share, thus imposing major financial risks.
How do you see the future of global information security regulations?
In my point of view, future global regulations will be focused in Data Privacy, particularly specified for exceeding Data Mobility and cloud environment usage. Another field of global concern is Cybercrime. Since such crimes are often backed up or even sponsored by governments and politically motivated stakeholders, the fight against Economically motivated Hackers requires cooperation of multiple stakeholders in both the public and the private sectors.